spanner-data

This module is best characterized as a high-impact subprocess launcher that delegates functionality to an external npx-invoked tool (execute_sql) and forwards both user-provided arguments and potentially sensitive environment variables. The most notable security risk is secret leakage/overexposure due to merging a local ../../../.env file (in GEMINI_CLI mode) into the child process environment without key allowlisting. Additional risk comes from npx runtime execution (supply-chain/runtime surface) and shell execution on Windows (shell:true), which increases the need for robust argument handling. No clear malicious payload (e.g., obfuscation, persistence, explicit exfiltration) is evident in the wrapper code itself; however, it should be reviewed in conjunction with the invoked @toolbox-sdk/server behavior and any handling of forwarded arguments.

No direct evidence of intentional malware exists in this wrapper module itself (no obfuscation, no direct exfiltration, no persistence, no credential harvesting code). However, it creates a meaningful supply-chain/command-delegation risk by executing a third-party package via npx and forwarding potentially sensitive environment variables—especially when GEMINI_CLI=1 it reads a local .env and injects its contents into the child environment. Additionally, it passes user-supplied CLI arguments to the invoked tool with minimal validation, increasing the impact of any permissive behavior inside the dependency. Review the invoked toolbox package behavior and ensure the .env contents do not include secrets intended for that tool, and consider running with a constrained environment in CI/production.