spanner-data
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: All scripts in the skill (execute_sql.js, execute_sql_dql.js, list_graphs.js, list_tables.js) use npx to download and execute the @toolbox-sdk/server@1.1.0 package from the npm registry during execution. This introduces a runtime dependency on external code.
- [COMMAND_EXECUTION]: The scripts utilize child_process.spawn to run commands. On Windows systems, the skill enables shell: true and passes unvalidated command-line arguments (process.argv) directly to the npx execution call, creating a surface for command or argument injection.
- [DATA_EXFILTRATION]: The skill contains logic to read environment variables from a .env file located at a relative path (../../../.env). While this is used to configure database access, it involves accessing sensitive credential files on the local filesystem.
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection via the SQL tools.
- Ingestion points: The sql parameter in the execute_sql and execute_sql_dql scripts.
- Boundary markers: Absent.
- Capability inventory: The skill can execute DML and DQL queries against Spanner databases and execute shell commands via spawn.
- Sanitization: No sanitization or SQL validation is performed before the query string is passed to the underlying toolbox server.
Audit Metadata