The Agent Skills Directory

Remote Code Execution (CRITICAL): The file references/neon-cli.md explicitly recommends installing the CLI using curl -fsSL https://neon.tech/install.sh | bash. This pattern is highly dangerous and allows arbitrary code execution from a source that is not within the defined trusted scopes.
Remote Code Execution (HIGH): The skill frequently recommends the use of npx for runtime execution of remote packages (e.g., npx neon init, npx neon-js gen-types, and npx -y @neondatabase/mcp-server-neon in references/devtools.md). These execute remote code without verification.
Indirect Prompt Injection (HIGH): The skill instructions (e.g., in SKILL.md and references/referencing-docs.md) require the agent to fetch remote content via curl from https://neon.tech/docs/ and process it. This content is then used to guide decisions and actions.
Ingestion points: The agent is instructed to fetch documentation as markdown from neon.tech using curl.
Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are suggested for the fetched content.
Capability inventory: The skill utilizes an MCP server (@neondatabase/mcp-server-neon) which has high-privilege capabilities including run_sql, create_project, create_branch, and provision_neon_auth.
Sanitization: No sanitization of the fetched external documentation is performed before it influences agent operations.
Credentials Unsafe (HIGH): The references/getting-started.md file (Step 2) instructs the agent to read and modify .env files to manage DATABASE_URL and other credentials. This grants the agent direct access to sensitive secrets which could be compromised via the indirect injection surface.
Command Execution (MEDIUM): The skill uses curl to fetch documentation. While intended for documentation retrieval, an attacker controlling the documentation source could provide malicious markdown that influences the agent's next commands or tool calls.

using-neon