The Agent Skills Directory

[CREDENTIALS_UNSAFE]: Potential exposure of sensitive tokens through command-line arguments. In scripts/agent.py, the main function retrieves the vault_token from sys.argv[2], which can make the token visible to other users on the system via process monitoring tools like ps. Best practice involves using environment variables or a secure configuration file.\n- [COMMAND_EXECUTION]: Use of subprocess calls to interact with cloud providers. The script scripts/agent.py uses subprocess.run to execute aws iam and az ad app commands for credential management. While this is the intended behavior, it requires the environment to be properly secured.\n- [COMMAND_EXECUTION]: Dynamic SQL construction in scripts/process.py. The rotate_database_password method uses f-string interpolation to build ALTER USER SQL statements. This represents a potential SQL injection surface if the account names were sourced from untrusted or external inputs, although they appear to be internal configuration here.

performing-service-account-credential-rotation