The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The reference documentation (e.g., references/connection-security.md and references/cloud-operations.md) contains example hardcoded passwords like 'AdminPassword123' and 'SecurePassword123!'. Although these are clearly illustrative examples in the context of connection templates, they represent a practice of hardcoding sensitive strings.
[EXTERNAL_DOWNLOADS]: The skill guides users to install the hana-cli npm package and various @sap scoped packages from the npm registry. It also mentions a script (install-btp.sh) that fetches the SAP BTP CLI from SAP's official GitHub repository. These downloads originate from well-known and trusted technology providers.
[COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary SQL queries and system commands through hana-cli (e.g., querySimple, hdbsql, reclaim). These are intended functionalities of a database management tool.
[INDIRECT_PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because it processes untrusted data from database objects.
Ingestion points: Untrusted data enters the context when the agent retrieves database metadata or row content using commands like inspectTable, querySimple, or the MCP sample_data tool.
Boundary markers: The skill lacks instructions for using delimiters or warnings to ignore embedded instructions within database results.
Capability inventory: The agent has broad capabilities including executing SQL, modifying database structures, and managing cloud instances.
Sanitization: There is no evidence of sanitization or validation logic to filter potentially malicious instructions returned from the database before the agent processes them.
[NO_CODE]: Multiple referenced files and directories, including scripts/hana-setup.sh, scripts/migration-helper.sh, and the app/ folder (containing the Web UI source), are missing from the provided skill package.

sap-hana-cli