alloydb-postgres-admin

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill requires a plaintext "password" parameter for create_cluster (and may collect it from the user) which the agent would need to include verbatim in API requests or generated commands, creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's scripts run npx to fetch and execute the npm package @toolbox-sdk/server@1.1.0 from the public npm registry (e.g. https://www.npmjs.com/package/@toolbox-sdk/server or registry.npmjs.org), which downloads and runs remote code at runtime and is required for the tool to operate.