The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The instructions for the agents/schema-scanner.md sub-agent direct it to search for and read various configuration files, specifically naming database.yml, knexfile.*, ormconfig.*, data-source.ts, and .sequelizerc. These files are industry-standard locations for hardcoded database connection secrets, including hostnames, usernames, and passwords. Accessing these files to extract schema metadata results in the exposure of these sensitive credentials to the agent's processing context.
[COMMAND_EXECUTION]: The skill's primary workflow involves scanning local project directories and writing migration files to the filesystem. These actions require the agent to have active file read and write capabilities. While intended for its purpose as a developer tool, this allows the agent to modify the local environment and interact with sensitive configuration data.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of external codebase data.
Ingestion points: In Phase 2, the agent reads and parses content from local files such as schema.sql, models.py, and various migration directories to understand the existing database structure.
Boundary markers: The skill does not implement delimiters or specific instructions to the agent to disregard instructions or malicious payloads that might be hidden within the comments or metadata of the files being scanned.
Capability inventory: The agent possesses filesystem write capabilities (Phase 5), enabling it to produce executable code based on the data it processes.
Sanitization: There is no evidence of sanitization, validation, or filtering of the content retrieved from the local filesystem before it is used to influence the agent's design decisions or code generation.

data-modeler