The Agent Skills Directory

[DATA_EXFILTRATION]: The skill facilitates the retrieval of sensitive operational metadata, including audit logs, billing information, and user activity records. It also provides tools for bidirectional file transfer between cloud-based Unity Catalog Volumes and local storage via the upload_to_volume and download_from_volume tools. While these capabilities are fundamental to the skill's purpose for governance and administration, they provide a surface for data harvesting if used outside of secure parameters.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes data from system tables (e.g., audit logs, query history, lineage) that can be influenced by external actors performing actions within the Databricks environment.
Ingestion points: System tables such as system.access.audit, system.query.history, and system.access.table_lineage (documented in 5-system-tables.md).
Boundary markers: No specific delimiters or instructions to ignore embedded commands are present when querying or displaying log data.
Capability inventory: The agent utilizes mcp__databricks__execute_sql for executing queries and volume management tools across the referenced files.
Sanitization: There is no evidence of sanitization, escaping, or validation of the content retrieved from the system tables before it is processed by the agent.
[COMMAND_EXECUTION]: The skill makes extensive use of SQL execution via mcp__databricks__execute_sql and references Databricks CLI commands for managing system schemas. This allows for direct interaction with the Databricks control plane and data plane, which requires careful management of agent permissions.

databricks-unity-catalog