The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes shell commands such as docker compose exec, mysql, psql, and sqlite3 using interpolated SQL strings. This pattern is vulnerable to command injection if the generated SQL contains shell-breaking characters. Additionally, the new-connector sub-skill generates and writes new skill files to the .claude/skills/ directory that contain executable shell commands.
[CREDENTIALS_UNSAFE]: The skill extracts sensitive database credentials (usernames and passwords) from project files like docker-compose.yml, Django settings.py, and Rails database.yml to build its connection commands.
[DATA_EXFILTRATION]: By executing database queries based on natural language input, the skill provides a mechanism to read and expose sensitive data stored in the database.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Malicious data or instructions in the project could influence the SQL generation to bypass the intended read-only restrictions. Ingestion points: $ARGUMENTS in SKILL.md. Boundary markers: None present. Capability inventory: Shell execution in SKILL.md and file writing in new-connector/SKILL.md. Sanitization: None detected for the generated SQL strings.

sql-planner