The Agent Skills Directory

[COMMAND_EXECUTION]: The localeClause function in SKILL.md constructs a SQL fragment using string interpolation: return `AND locale = '${current}'`;. This fragment is then concatenated into full SQL queries in the getPageByPath and getNavigation functions. Recommending string concatenation for SQL query construction is a significant security anti-pattern that leads to SQL injection vulnerabilities.- [PROMPT_INJECTION]: The skill outlines a vulnerability surface for indirect injection where client-side data affects server-side queries. Ingestion points: Data is fetched from localStorage in lib/stores/locale.ts (specifically localStorage.getItem(STORAGE_KEY)). Boundary markers: None. The locale value is directly embedded into the SQL string without the use of placeholders or parameterized query techniques for that specific clause. Capability inventory: The skill executes database queries via the query and queryOne functions within the Querying with Locale section. Sanitization: The provided code example uses a simple whitelist for three locales, but the documentation encourages support for any BCP 47 code, increasing the likelihood that a developer will implement an unsafe or incomplete validation mechanism while continuing to use the vulnerable concatenation pattern.

raisindb-translations