The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The scripts in the scripts/ directory (e.g., execute_sql.js, list_tables.js) contain a mergeEnvVars function that programmatically reads and parses a .env file located at ../../../.env. This file is accessed to retrieve sensitive database credentials and configuration.
[EXTERNAL_DOWNLOADS]: Each script uses npx to download and execute the @toolbox-sdk/server@1.1.0 package from the npm registry at runtime to perform its database operations.
[COMMAND_EXECUTION]: The scripts invoke the npx tool using child_process.spawn. On Windows systems, the scripts explicitly set shell: true, which executes the command within a shell environment and can increase susceptibility to command injection if arguments are not strictly validated.
[PROMPT_INJECTION]: The skill represents an indirect prompt injection surface as it retrieves and displays data from an Oracle database (e.g., in list_active_sessions.js and list_tables.js). If the database contains malicious instructions in session metadata or schema comments, these could be ingested into the agent's context.
[PROMPT_INJECTION]: Evidence Chain: 1. Ingestion points: Database query results and metadata processed in all scripts under scripts/. 2. Boundary markers: None identified in the instruction markdown or scripts. 3. Capability inventory: The skill can execute arbitrary SQL (execute_sql.js) and run shell commands via npx (spawn in all scripts). 4. Sanitization: No evidence of output sanitization or filtering of database content before it is returned to the agent.

oracledb