Skills
skills/gemini-cli-extensions/alloydb/alloydb-postgres-replication/Gen Agent Trust Hub

alloydb-postgres-replication

Warn

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The scripts utilize npx to download the @toolbox-sdk/server@1.1.0 package from the public NPM registry during execution.\n
  • Evidence: Found in all script files within the main function where npxArgs are defined.\n- [REMOTE_CODE_EXECUTION]: By invoking npx --yes, the skill executes code from an external dependency fetched at runtime, creating a dependency on the integrity of the external package and registry.\n
  • Evidence: const npxArgs = ["--yes", "@toolbox-sdk/server@1.1.0", ...] used in the spawn call.\n- [COMMAND_EXECUTION]: The scripts use child_process.spawn to run commands. On Windows platforms, the shell: true option is enabled, which can be vulnerable to command injection if arguments provided by the agent are not strictly sanitized.\n
  • Evidence: const child = spawn(command, npxArgs, { shell: os.platform() === 'win32', stdio: 'inherit', env });
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 28, 2026, 10:25 PM