analyzing-data
Queries data warehouse and answers business questions about data. Handles questions requiring database/warehouse queries including "who uses X", "how many Y", "show me Z", "find customers", "what is the count", data lookups, metrics, trends, or SQL analysis.
74
91%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Security
2 findings — 1 critical severity, 1 high severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
E005: Suspicious download URL detected in skill instructions
What this means
Detected a suspicious URL in the skill instructions that could lead the agent to download and execute malicious scripts or binaries. This includes links to executables from untrusted sources, typosquatting of official packages, URL shorteners that obscure the destination, and personal file hosting services.
Why it was flagged
Suspicious download URL detected (high risk: 0.70). The docs URL (docs.astral.sh/ty/) is a normal documentation page and low risk, but https://astral.sh/uv/install.sh is a direct shell installer — running or piping a remote .sh is high risk because it can execute arbitrary code; verify the domain, inspect the script, and prefer vetted package sources or checksums before executing.
W008: Secret detected in skill content (API keys, tokens, passwords)
What this means
Detected sensitive credentials directly embedded within the skill content, such as API keys, access tokens, private keys, or service-specific secrets. Secrets should never be hardcoded in plain text within skill instructions.
Why it was flagged
Secret detected (high risk: 1.00). I flagged a literal PEM private key block present in the repo. In scripts/tests/test_connectors.py (TestSnowflakePrivateKeyPrelude.test_private_key_from_content_compiles) there is a hardcoded string:
- Repository
- astronomer/agents
- Commit
789b454
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.