The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: All scripts in the skill utilize npx --yes @toolbox-sdk/server@1.1.0 to download and immediately execute a server package from the NPM registry. This pattern executes code from a remote source that is not verified or bundled with the skill.
[EXTERNAL_DOWNLOADS]: The use of npx triggers an external network request to the NPM registry at runtime to fetch the @toolbox-sdk/server package, creating a dependency on external infrastructure during execution.
[DATA_EXFILTRATION]: The mergeEnvVars function in each script attempts to read a .env file located three levels above the script directory (../../../.env) when running in certain environments. This behavior exposes potentially sensitive configuration data, such as API keys or credentials from the user's project root, to the skill's context.
[COMMAND_EXECUTION]: The scripts use child_process.spawn with the shell: true option on Windows platforms. While there is manual logic to escape double quotes in the processedArgs, this approach is often insufficient to prevent command injection if malicious or unexpected input is passed through the command-line arguments.
[PROMPT_INJECTION]: The execute_sql and execute_sql_dql tools provide an attack surface for indirect prompt injection as they allow the execution of arbitrary SQL strings.
Ingestion points: The sql parameter in execute_sql.js and execute_sql_dql.js acts as the primary entry point for external data.
Boundary markers: There are no specific delimiters or instructions to the agent to treat the input as untrusted or to ignore embedded instructions.
Capability inventory: The skill has permissions to read from and write to a Spanner database, as well as execute shell commands via npx.
Sanitization: No SQL parameterization, escaping, or validation is performed on the input strings before they are passed to the database interface.

spanner-data