The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts use child_process.spawn with shell: true when running on Windows to execute npx. Parameters from the command line (process.argv) are passed to the shell with insufficient sanitization, creating a surface where malicious input could lead to arbitrary command execution on the host system.
[EXTERNAL_DOWNLOADS]: The skill dynamically fetches and executes the @toolbox-sdk/server@1.1.0 package from the NPM registry at runtime using npx. This results in the execution of code not locally contained within the skill package.
[DATA_EXFILTRATION]: Each script in the skill includes logic to read sensitive .env files from multiple parent directory levels (../../../.env). This pattern is used to harvest environment variables and credentials for GCP authentication, which constitutes access to sensitive local file paths.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it processes untrusted input through a high-capability tool.
Ingestion points: User-provided arguments passed through process.argv in all scripts.
Boundary markers: None present; input is directly interpolated into command arguments.
Capability inventory: Subprocess spawning with shell access (spawn).
Sanitization: Primitive double-quote escaping for Windows platforms located in the main() function.

cloud-sql-sqlserver-lifecycle