The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill's documentation and scripts encourage unsafe credential management practices.
README.md and docs/authentication.md instruct users to store Personal Access Tokens (PAT) in a plain text file (~/.secrets/dremio_pat) and export them directly in the shell profile (~/.bashrc).
scripts/get_dremio_token.sh allows users to pass their username and password as command-line arguments (./get_dremio_token.sh username password), which results in sensitive credentials being stored in the shell's command history.
[COMMAND_EXECUTION]: Multiple scripts are vulnerable to command or query injection and use insecure execution methods.
examples/find_16s_rrna_genes.py constructs SQL queries using f-strings with user-provided taxonomic patterns (e.g., family_name = '{family_name}'), creating a SQL injection vulnerability if the input is not sanitized.
scripts/explore_gold_database.sh and scripts/get_dremio_token.sh execute system commands and shell out to Python for JSON parsing using untrusted API responses.
scripts/rest_client.py and scripts/download_img_genomes.py disable SSL verification (verify=False in Python and --insecure in bash), exposing the connection to Man-in-the-Middle (MITM) attacks.
[EXTERNAL_DOWNLOADS]: The skill connects to and downloads data from external JGI endpoints.
Scripts connect to http://lakehouse-1.jgi.lbl.gov:9047 and https://lakehouse.jgi.lbl.gov for database operations.
scripts/download_img_genomes.py accesses and copies files from the JGI filesystem (e.g., /clusterfs/jgi/img_merfs-ro/) to the local environment.

jgi-lakehouse