cloud-sql-mysql-admin

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill lists sensitive parameters (rootPassword, user password) and shows invoking scripts by embedding parameter JSON on the command line, which would require the LLM to output those secret values verbatim in commands or code.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill scripts call npx to fetch and run the remote package @toolbox-sdk/server@1.1.0 (e.g. via the npm registry at https://www.npmjs.com/package/@toolbox-sdk/server) at runtime, which downloads and executes remote code that the skill depends on—so this external URL/package is used during runtime and executes remote code.