The Agent Skills Directory

[COMMAND_EXECUTION]: All scripts in the scripts/ directory (e.g., create_cluster.js, database_overview.js) utilize child_process.spawn with the shell: true option when running on Windows. This invokes the system shell to process command arguments, which is a high-risk pattern for command injection.
[EXTERNAL_DOWNLOADS]: The skill uses npx to download and execute the @toolbox-sdk/server@1.1.0 package from the npm registry at runtime. This introduces a dependency on external code that is not bundled with the skill.
[PROMPT_INJECTION]: The skill is vulnerable to indirect command injection (Category 8 surface). User-provided parameters such as cluster IDs and passwords are passed directly to the shell on Windows with insufficient sanitization. The escaping logic only handles double quotes, failing to neutralize shell metacharacters like &, |, and ^, which can be used to execute arbitrary side-commands.
Ingestion points: Input parameters defined in SKILL.md (e.g., cluster, password, instance).
Boundary markers: None provided in the instructions to prevent the agent from obeying instructions embedded in user data.
Capability inventory: Shell execution via spawn and package execution via npx present in all script files.
Sanitization: Inadequate; only double quotes are escaped on Windows, which does not prevent command chaining via other shell operators.
[DATA_EXFILTRATION]: The mergeEnvVars function in each script attempts to read a .env file from a path three levels above the script's directory (../../../.env). This allows the skill to access and potentially expose sensitive credentials or configuration data from the parent project's environment.

alloydb-postgres-admin