The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/query.sh is vulnerable to shell command injection. In the MySQL execution path, the DB_CONNECTION variable is not quoted when passed to the mysql client (mysql $DB_CONNECTION), allowing an attacker to inject arbitrary shell commands if the connection string is derived from untrusted input.\n- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. It ingests untrusted data from external SQL databases and spreadsheet files (CSV, Excel) to generate automated reports and insights. This creates a surface where malicious instructions embedded in the data could manipulate the agent's logic or downstream actions. \n
Ingestion points: SQL query results from scripts/query.sh and files in the data/ directory. \n
Capability inventory: Shell command execution via database clients and filesystem manipulation through provided Python and shell scripts. \n
Boundary markers: None present; the skill lacks delimiters or instructions to ignore commands within processed data. \n
Sanitization: No input validation or sanitization is performed on ingested data before processing.\n- [CREDENTIALS_UNSAFE]: The skill workflow involves handling sensitive database connection strings that often contain plaintext credentials. Using environment variables or command-line flags for these strings, as seen in scripts/query.sh, increases the risk of credential leakage in logs or process viewers.\n- [DATA_EXFILTRATION]: The skill's primary functionality of querying and exporting data from various sources provides a built-in mechanism for exfiltration. If an agent is compromised via prompt injection, these tools can be used to silently extract large volumes of data to local files or reports.

data-analyst