The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: All scripts in the skill utilize the npx command to dynamically fetch the @toolbox-sdk/server package from the public npm registry during execution.
[REMOTE_CODE_EXECUTION]: By invoking npx --yes @toolbox-sdk/server@1.1.0, the skill executes third-party code that is not bundled with the skill or locally audited, creating a runtime dependency on external package integrity.
[COMMAND_EXECUTION]: The scripts pass user-supplied arguments to a sub-process via child_process.spawn. On Windows systems, this execution occurs within a shell environment (shell: true), which can be vulnerable to command injection if malicious characters are included in the parameters.
[DATA_EXFILTRATION]: The scripts contain logic to read sensitive environment variables from a .env file located at a relative path (../../../.env). This allows the skill to access credentials from the host project's environment when specific platform flags are detected.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of untrusted user input.
Ingestion points: User-provided query, instanceId, and projectId parameters in SKILL.md are passed directly to scripts.
Boundary markers: Absent. User input is passed as command-line arguments without using protective delimiters or sanitization beyond basic quote-escaping for Windows.
Capability inventory: The skill has the ability to execute arbitrary shell commands via spawn and read local system files using fs.readFileSync across all script files.
Sanitization: Minimal character escaping is applied for Windows shell compatibility; however, there is no validation or filtering of the SQL or PromQL query logic provided by the user.

cloud-sql-postgres-monitor