Skills
skills/cline/skills/firestore-data/Gen Agent Trust Hub

firestore-data

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection vulnerability surface.
  • Ingestion points: get_documents.js, list_collections.js, and query_collection.js retrieve arbitrary document data and collection hierarchies from external Firestore databases into the agent's context.
  • Boundary markers: The skill does not implement delimiters or explicit 'ignore embedded instructions' warnings for data retrieved from Firestore.
  • Capability inventory: The skill provides destructive and modification capabilities through add_documents.js, delete_documents.js, and update_document.js (all executing shell commands via npx).
  • Sanitization: Data retrieved from the database is passed to the agent without sanitization or validation of its content.
  • [COMMAND_EXECUTION]: All scripts in the scripts/ directory use the spawn method to execute shell commands. Specifically, they invoke npx to run the @toolbox-sdk/server CLI tool. On Windows systems, shell: true is utilized.
  • [EXTERNAL_DOWNLOADS]: The skill dynamically fetches the @toolbox-sdk/server@1.1.0 package from the NPM registry during execution using the npx --yes command.
  • [CREDENTIALS_UNSAFE]: The scripts contain logic to locate and read .env files from parent directories (e.g., ../../../.env) to load sensitive configuration such as FIRESTORE_DATABASE. This is a standard practice for secret management in developer tools but involves accessing sensitive file paths.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 12:27 PM
Security Audit — agent-trust-hub — firestore-data