The Agent Skills Directory

Prompt Injection (LOW): The skill is susceptible to indirect prompt injection due to unsafe interpolation of file content into the LLM prompt.
Ingestion points: In src/index.ts, the generate function reads content from local files specified by the user via fs.readFileSync (lines 13-20).
Boundary markers: Absent. The file content is directly concatenated into the prompt string (File: ${path.basename(filePath)}\n\n${content}) on line 28 without the use of delimiters (e.g., XML tags or triple backticks) or instructions to ignore instructions embedded in the data.
Capability inventory: The skill possesses file system read access and network access to the OpenAI API. It generates SQL code intended for database configuration, which could be harmful if manipulated.
Sanitization: Absent. No validation or escaping is performed on the content read from the file before it is sent to the LLM.
Data Exposure & Exfiltration (LOW): The skill reads local file content and transmits it to an external API (OpenAI).
Although this is the intended primary purpose of the tool (processing Prisma schemas), the implementation allows the reading of any file provided in the command line argument. If an agent is tricked into passing a sensitive path (e.g., .env), the tool will read and send that data to the OpenAI endpoint.

supabase-gen