Ironclaw Pipeline Analytics

The skill is designed for legitimate analytics and reporting, but its core mechanism of translating natural language to DuckDB SQL and saving reports presents significant prompt injection vulnerabilities. The `SKILL.md` explicitly instructs the agent to 'Translate to DuckDB SQL' from user input and to 'Save to workspace/reports/', which could lead to SQL injection and arbitrary file write if the agent's input sanitization and path validation are insufficient. While no explicit malicious intent is present in the skill's definition, these capabilities are high-risk and could be exploited for unauthorized data access or system manipulation.