The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (SQL injection) within its migration scripts. The Python functions in scripts/migrate_to_unity_catalog.py and the Delta Lake upgrade section interpolate table and catalog names directly into SQL strings using f-strings. If an attacker controls table names or schema names in the source environment, they could execute arbitrary SQL commands.
Ingestion points: Table names, schema names, and locations are ingested from the Databricks metastore using spark.sql(f"SHOW TABLES IN {source_schema}") and DESCRIBE DETAIL commands.
Boundary markers: None present.
Capability inventory: The skill has the capability to execute arbitrary SQL via spark.sql() and modify workspace infrastructure via the databricks.sdk.WorkspaceClient.
Sanitization: Absent. The code uses direct string formatting for SQL construction without identifier escaping or validation.
[DATA_EXFILTRATION]: The migration runbook (migrate_workspace.sh) includes a command to export production workspace directories to the local filesystem (/tmp/backup). This pattern moves potentially sensitive intellectual property and notebook content out of the managed Databricks security perimeter and into the local environment of the agent, representing a data exposure risk.

databricks-upgrade-migration