Skills
skills/gemini-cli-extensions/cloud-sql-sqlserver/cloud-sql-sqlserver-monitor/Gen Agent Trust Hub

cloud-sql-sqlserver-monitor

Fail

Audited by Gen Agent Trust Hub on Apr 29, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script get_system_metrics.js is vulnerable to command injection on Windows. When using child_process.spawn with shell: true, it only quotes arguments that contain double quotes. Arguments without double quotes that contain shell metacharacters such as &, |, or ^ are passed to the shell unquoted, allowing for arbitrary command execution if an attacker can influence the script's input.\n- [EXTERNAL_DOWNLOADS]: The skill uses npx to download and execute the @toolbox-sdk/server package from the official NPM registry at runtime, which introduces a dependency on external code.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 29, 2026, 05:18 AM