The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill uses hardcoded database credentials. The reference files references/blog_small.md, references/ecommerce_medium.md, and references/saas_crm_large.md all store the plaintext password 'postgres' for the user 'postgres'. These credentials are also used in Step 5 of the SKILL.md workflow.
[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using the psql utility. In Steps 5 and 7 of SKILL.md, it passes the database password via the PGPASSWORD environment variable directly in the command string (PGPASSWORD=postgres psql ...). This is an insecure practice as environment variables set on the command line are often visible to other users on the system via process monitoring tools.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the data it retrieves from databases.
Ingestion points: Content returned by the psql command in Step 5 and displayed to the agent in Step 6 of SKILL.md.
Boundary markers: Absent; the skill does not use specific delimiters or instructions to notify the agent that the retrieved database content should not be interpreted as commands.
Capability inventory: The skill has access to shell execution via psql and file system reading via cat.
Sanitization: While the skill attempts to filter outbound SQL keywords in Step 4, it lacks any sanitization or validation for inbound data content that could contain malicious instructions designed to hijack the agent's logic during the analysis or reporting phases.

pg-data