The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data (table names, query filters, and SQL migration strings) and execute them against production databases.
Ingestion points: Variables such as table, filters, data, schema, and migration_sql in the documented Python API and agent tools.
Boundary markers: None documented in the integration examples.
Capability inventory: Full CRUD, schema modification (ALTER/CREATE TABLE), and raw SQL execution (db.execute).
Sanitization: While the db.execute example uses parameterized queries, the high-level db.select and db.apply_schema methods rely on the agent's ability to correctly structure queries, making it vulnerable to injection if the agent is manipulated by a user.
[Privilege Escalation] (HIGH): The skill metadata explicitly requests the Bash tool. A database management skill should typically not require shell access. This provides a vector for an attacker to move from database access to full system compromise if the agent is compromised.
[Credentials Unsafe] (LOW): The documentation uses placeholders for API keys (eyJ...) and environment variables. While safe in the documentation, the skill's architecture encourages the use of service_role_key, which bypasses Row Level Security (RLS) and increases the impact of any potential compromise.
[Unverifiable Dependencies] (LOW): Uses libsql-experimental, which may contain unpatched vulnerabilities or unstable code paths compared to production-ready releases.

database-manager