agent-bom-discover-snowflake

Use this skill to collect Snowflake AI and workload inventory as schema-valid agent-bom inventory. Default to discover-only: write JSON to an operator-selected path and stop.

Guardrails

• Use only operator-approved Snowflake accounts, warehouses, databases, and read-only roles.
• Prefer SSO, OAuth, or key-pair auth. Do not request or display SNOWFLAKE_PASSWORD, private key contents, passphrases, or OAuth tokens.
• Do not modify Snowflake resources. This workflow is discovery-only.
• Write inventory only to a path the operator chose.
• Treat AI-generated prose as non-authoritative; schema-validated inventory JSON is the evidence.

Workflow

python examples/operator_pull/snowflake_inventory_adapter.py \
  --account "$SNOWFLAKE_ACCOUNT" \
  --user "$SNOWFLAKE_USER" \
  --authenticator snowflake_jwt \
  --source snowflake-skill-invoked \
  --discovery-method skill_invoked_pull \
  --output snowflake-inventory.json

Scan only when the operator asks for findings:

agent-bom agents --inventory snowflake-inventory.json --format json --output agent-bom-snowflake-findings.json

Evidence Contract

The emitted inventory carries discovery_provenance.source_type: skill_invoked_pull, observed_via: skill_invoked_pull, snowflake_sdk, sanitized metadata.permissions_used, and redacted credential material. If schema validation fails, stop and fix the inventory instead of scanning a best-effort summary.