The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts utilize child_process.spawn with the shell: true option on Windows platforms. This allows the execution of commands with arguments passed directly from the environment, which can be exploited for command injection if the input strings are not strictly validated.
[EXTERNAL_DOWNLOADS]: All scripts in the skill use npx --yes @toolbox-sdk/server@1.1.0 to download and execute code from the NPM registry at runtime. This introduces a dependency on the availability and integrity of the remote package.
[DATA_EXPOSURE]: The mergeEnvVars function is designed to read environment variables from a .env file located three levels above the script directory (../../../.env). This behavior may inadvertently load sensitive configuration data from the user's broader project structure into the skill's execution context.

alloydb-omni-monitor