The Agent Skills Directory

[SAFE]: The skill securely manages database credentials by referencing environment variables (${DB2i_HOST}, ${DB2i_USER}, ${DB2i_PASS}) in tools/librarian.yaml rather than hardcoding sensitive information.
[SAFE]: All tools defined in tools/librarian.yaml are strictly read-only, as indicated by the security: readOnly: true and readOnlyHint: true metadata, which restricts the skill's impact to informational data retrieval.
[SAFE]: The SQL statements utilize named parameter binding (e.g., :library_name, :list_type, :object_schema) to safely pass user input to the IBM i database, effectively preventing SQL injection attacks.
[PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection because it retrieves user-controllable metadata (such as OBJTEXT and TEXT_DESCRIPTION) from the IBM i system. If a malicious user with object-creation permissions on the system populates these fields with instructions, they could potentially influence the agent's behavior when it processes the query results.
Ingestion points: Tools such as get_library_info and list_library_objects in tools/librarian.yaml fetch data from the QSYS2.OBJECT_STATISTICS table function.
Boundary markers: None present in the tool output processing.
Capability inventory: The skill provides access to read-only system metadata via the ibmi tool.
Sanitization: None detected for descriptive text fields retrieved from the database.
[SAFE]: The ignore-unauthorized: true setting in the ibmi-system source configuration allows the connection to proceed even if SSL certificates cannot be verified. While this may increase risk in untrusted networks, it is a standard configuration for internal legacy database environments and does not constitute a malicious pattern.

librarian