chore(deps): update firebase/agent-skills digest to 02c0a61

[renovate]

This PR contains the following updates:

Package	Update	Change
firebase/agent-skills	digest	c3bb9d5 → 02c0a61

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[toolhive-release-app]

🛡️ Skill Security Scan Results

❌ developing-genkit-dart

• Status: Failed
• Findings: 8
• Blocking: 2

Blocking issues:

• [ATR_2026_00002] (HIGH) Pattern detected: ['-y', '@modelcontextprotocol/server-filesystem', '.'] (references/genkit_mcp.md:22)
• [ATR_2026_00002] (HIGH) Pattern detected: ['-y', '@modelcontextprotocol/server-filesystem', '.'] (references/genkit_mcp.md:59)

Allowlisted (not blocking):

• MANIFEST_MISSING_LICENSE (Allowed: firebase/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)
• PIPELINE_TAINT_FLOW (Allowed: The skill's prerequisites cite the official Genkit CLI installer curl -sL cli.genkit.dev | bash as a documented install command.)

✅ developing-genkit-go

• Status: Passed
• Findings: 2
• Allowed (not blocking): 2
  • PIPELINE_TAINT_FLOW (Allowed: The skill's prerequisites cite the official Genkit CLI installer curl -sL cli.genkit.dev | bash as a documented install command.)
  • PIPELINE_TAINT_FLOW (Allowed: The skill's prerequisites cite the official Genkit CLI installer curl -sL cli.genkit.dev | bash as a documented install command.)

✅ developing-genkit-js

• Status: Passed
• Findings: 5
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: firebase/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ firebase-ai-logic-basics

• Status: Passed
• Findings: 5
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: firebase/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ firebase-app-hosting-basics

• Status: Passed
• Findings: 4
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: firebase/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ firebase-auth-basics

• Status: Passed
• Findings: 4
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: firebase/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ firebase-basics

• Status: Passed
• Findings: 4

❌ firebase-data-connect-basics

• Status: Failed
• Findings: 307
• Blocking: 141

Blocking issues:

• [ATR_2026_00040] (CRITICAL) Pattern detected: Deploy (reference/config.md:210)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Deploy (reference/config.md:215)
• [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (reference/config.md:221)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/config.md:239)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Deploy (reference/config.md:245)
• [ATR_2026_00066] (CRITICAL) Pattern detected: ${{ secrets.FIREBASE_TOKEN }} (reference/config.md:247)
• [ATR_2026_00012] (HIGH) Pattern detected: $1) with standard GraphQL named variables (`$id (reference/native_sql.md:9)
• [ATR_2026_00012] (HIGH) Pattern detected: params array order. Named parameters (`$id (reference/native_sql.md:21)
• [ATR_2026_00066] (CRITICAL) Pattern detected: /* ... /). Line comments (--) are **forbidden** because they can truncate subsequent clauses during query compilation. If you comment out a line containing a parameter (e.g., / WHERE id = $1 */ (reference/native_sql.md:22)
• [ATR_2026_00012] (HIGH) Pattern detected: must be a static string (e.g.,{_expr: "auth.uid (reference/native_sql.md:24)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:28)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:30)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (reference/native_sql.md:36)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (reference/native_sql.md:45)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:56)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:58)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:61)
• [ATR_2026_00012] (HIGH) Pattern detected: UPDATE movie SET (reference/native_sql.md:62)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:67)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:70)
• [ATR_2026_00012] (HIGH) Pattern detected: DELETE FROM (reference/native_sql.md:71)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:76)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/native_sql.md:79)
• [ATR_2026_00012] (HIGH) Pattern detected: UPDATE review SET (reference/native_sql.md:81)
• [ATR_2026_00040] (CRITICAL) Pattern detected: EXEC (reference/native_sql.md:102)
• [ATR_2026_00040] (CRITICAL) Pattern detected: EXEC (reference/native_sql.md:118)
• [ATR_2026_00051] (HIGH) Pattern detected: for each (reference/operations.md:14)
• [ATR_2026_00012] (HIGH) Pattern detected: `movie(id (reference/operations.md:18)
• [ATR_2026_00010] (CRITICAL) Pattern detected: `movies(where: ..., orderBy: ..., limit: ..., offset: ..., distinc (reference/operations.md:19)
• [ATR_2026_00012] (HIGH) Pattern detected: `movie_update(id (reference/operations.md:22)
• [ATR_2026_00012] (HIGH) Pattern detected: `movie_delete(id (reference/operations.md:25)
• [ATR_2026_00140] (HIGH) Pattern detected: Reverse (reference/operations.md:31)
• [ATR_2026_00012] (HIGH) Pattern detected: , input.gql`) to understand the exact sh (reference/operations.md:44)
• [ATR_2026_00010] (CRITICAL) Pattern detected: includes | Array includes | `{ tags: { inc (reference/operations.md:93)
• [ATR_2026_00063] (CRITICAL) Pattern detected: exFil (reference/operations.md:116)
• [ATR_2026_00010] (CRITICAL) Pattern detected: inc | Int, Float, Date, Timestamp | Inc (reference/operations.md:239)
• [ATR_2026_00012] (HIGH) Pattern detected: $key (reference/operations.md:295)
• [ATR_2026_00012] (HIGH) Pattern detected: $key (reference/operations.md:296)
• [ATR_2026_00012] (HIGH) Pattern detected: | Single-entity lookup by ID (e.g., `movie(id: $id (reference/realtime.md:17)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (reference/realtime.md:18)
• [ATR_2026_00012] (HIGH) Pattern detected: | Any query that sh (reference/realtime.md:19)
• [ATR_2026_00012] (HIGH) Pattern detected: `@refresh (reference/realtime.md:21)
• [ATR_2026_00111] (CRITICAL) Pattern detected: subscribe() (reference/realtime.md:23)
• [ATR_2026_00012] (HIGH) Pattern detected: `@refresh (reference/realtime.md:29)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/realtime.md:49)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (reference/realtime.md:53)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/realtime.md:55)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (reference/realtime.md:60)
• [ATR_2026_00063] (CRITICAL) Pattern detected: SendMessage (reference/realtime.md:61)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/realtime.md:69)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (reference/realtime.md:72)
• [ATR_2026_00063] (CRITICAL) Pattern detected: SendMessage (reference/realtime.md:73)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/realtime.md:81)
• [ATR_2026_00012] (HIGH) Pattern detected: `@refresh (reference/realtime.md:89)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (reference/realtime.md:94)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (reference/realtime.md:111)
• [ATR_2026_00012] (HIGH) Pattern detected: `request.variables.id (reference/realtime.md:118)
• [ATR_2026_00012] (HIGH) Pattern detected: `request.auth.uid (reference/realtime.md:119)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/realtime.md:123)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/realtime.md:128)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/realtime.md:129)
• [ATR_2026_00012] (HIGH) Pattern detected: `@refresh (reference/realtime.md:151)
• [ATR_2026_00012] (HIGH) Pattern detected: movie(id: $id), `user(key: { uid: $uid (reference/realtime.md:154)
• [ATR_2026_00012] (HIGH) Pattern detected: `_update(id (reference/realtime.md:158)
• [ATR_2026_00012] (HIGH) Pattern detected: `_delete(id (reference/realtime.md:159)
• [ATR_2026_00012] (HIGH) Pattern detected: ` do not trigger automatic entity refresh (reference/realtime.md:160)
• [ATR_2026_00012] (HIGH) Pattern detected: movies(where: {...}), `users { id (reference/realtime.md:163)
• [ATR_2026_00111] (CRITICAL) Pattern detected: subscribe() (reference/realtime.md:179)
• [ATR_2026_00111] (CRITICAL) Pattern detected: id: UUID! (reference/schema.md:14)
• [ATR_2026_00012] (HIGH) Pattern detected: key | Primary key field(s), default `["id (reference/schema.md:57)
• [ATR_2026_00012] (HIGH) Pattern detected: , @default(expr: "auth.uid (reference/schema.md:76)
• [ATR_2026_00012] (HIGH) Pattern detected: `auth.uid (reference/schema.md:81)
• [ATR_2026_00051] (HIGH) Pattern detected: for each (reference/schema.md:114)
• [ATR_2026_00010] (CRITICAL) Pattern detected: `referenc (reference/schema.md:165)
• [ATR_2026_00010] (CRITICAL) Pattern detected: @unique on the referenc (reference/schema.md:174)
• [ATR_2026_00012] (HIGH) Pattern detected: UUID | `uuid (reference/schema.md:219)
• [ATR_2026_00004] (CRITICAL) Pattern detected: # Admin (reference/sdk_admin_node.md:1)
• [ATR_2026_00040] (CRITICAL) Pattern detected: elevate (reference/sdk_admin_node.md:3)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/sdk_admin_node.md:6)
• [ATR_2026_00010] (CRITICAL) Pattern detected: default branch to switch statements or an else branc (reference/sdk_admin_node.md:11)
• [ATR_2026_00004] (CRITICAL) Pattern detected: ### Configuration (reference/sdk_admin_node.md:13)
• [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (reference/sdk_admin_node.md:30)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/sdk_android.md:6)
• [ATR_2026_00111] (CRITICAL) Pattern detected: execute() (reference/sdk_android.md:8)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_android.md:9)
• [ATR_2026_00013] (CRITICAL) Pattern detected: 10.0.2.2 (reference/sdk_android.md:39)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_android.md:49)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_android.md:57)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_android.md:69)
• [ATR_2026_00066] (CRITICAL) Pattern detected: ${aspect.value.name} (reference/sdk_android.md:73)
• [ATR_2026_00066] (CRITICAL) Pattern detected: ${aspect.stringValue} (reference/sdk_android.md:74)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_android.md:94)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_android.md:95)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/sdk_flutter.md:6)
• [ATR_2026_00010] (CRITICAL) Pattern detected: on operation methods to get aQueryRef` for advanc (reference/sdk_flutter.md:8)
• [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (reference/sdk_flutter.md:13)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_flutter.md:36)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_flutter.md:46)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_flutter.md:53)
• [ATR_2026_00066] (CRITICAL) Pattern detected: ${aspectValue.stringValue} (reference/sdk_flutter.md:71)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_flutter.md:92)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_flutter.md:95)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/sdk_ios.md:6)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_ios.md:9)
• [ATR_2026_00013] (CRITICAL) Pattern detected: 127.0.0.1:9399 (reference/sdk_ios.md:28)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_ios.md:38)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_ios.md:46)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_ios.md:59)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_ios.md:90)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_ios.md:91)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/sdk_web.md:6)
• [ATR_2026_00010] (CRITICAL) Pattern detected: default branch to switch statements or an else branc (reference/sdk_web.md:7)
• [ATR_2026_00010] (CRITICAL) Pattern detected: connectDataConnectEmulator is only required if connecting to the emulator. Otherwise, the generated SDK auto-creates the instanc (reference/sdk_web.md:9)
• [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (reference/sdk_web.md:13)
• [ATR_2026_00111] (CRITICAL) Pattern detected: executeQuery (reference/sdk_web.md:31)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_web.md:33)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_web.md:37)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_web.md:86)
• [ATR_2026_00040] (CRITICAL) Pattern detected: exec (reference/sdk_web.md:87)
• [ATR_2026_00111] (CRITICAL) Pattern detected: subscribe() (reference/sdk_web.md:91)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/security.md:15)
• [ATR_2026_00040] (CRITICAL) Pattern detected: admin = (reference/security.md:20)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (reference/security.md:27)
• [ATR_2026_00088] (HIGH) Pattern detected: Suppress deploy warning (reference/security.md:27)
• [ATR_2026_00010] (CRITICAL) Pattern detected: USER_ANON | Any authenticated user (inc (reference/security.md:36)
• [ATR_2026_00012] (HIGH) Pattern detected: | Authenticated users (excludes anonymous) | `auth.uid (reference/security.md:37)
• [ATR_2026_00012] (HIGH) Pattern detected: | Users with verified email |auth.uid (reference/security.md:38)
• [ATR_2026_00012] (HIGH) Pattern detected: `auth.uid (reference/security.md:51)
• [ATR_2026_00111] (CRITICAL) Pattern detected: sub (reference/security.md:65)
• [ATR_2026_00040] (CRITICAL) Pattern detected: 'admin' (reference/security.md:73)
• [ATR_2026_00040] (CRITICAL) Pattern detected: 'admin' (reference/security.md:79)
• [ATR_2026_00012] (HIGH) Pattern detected: && vars.status in ['draft', 'publish (reference/security.md:82)
• [ATR_2026_00040] (CRITICAL) Pattern detected: 'admin' (reference/security.md:119)
• [ATR_2026_00004] (CRITICAL) Pattern detected: # Admin (reference/security.md:206)
• [ATR_2026_00040] (CRITICAL) Pattern detected: admin = (reference/security.md:207)
• [ATR_2026_00040] (CRITICAL) Pattern detected: 'admin' (reference/security.md:215)
• [ATR_2026_00066] (CRITICAL) Pattern detected: `bash (templates.md:214)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Deploy (templates.md:228)
• [ATR_2026_00040] (CRITICAL) Pattern detected: deploy (templates.md:229)
• [ATR_2026_00161] (CRITICAL) Pattern detected: .env (templates.md:254)
• [ATR_2026_00040] (CRITICAL) Pattern detected: Exec (templates.md:292)

✅ firebase-firestore

• Status: Passed
• Findings: 2

✅ firebase-hosting-basics

• Status: Passed
• Findings: 2
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: firebase/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

✅ firebase-security-rules-auditor

• Status: Passed
• Findings: 2
• Allowed (not blocking): 1
  • MANIFEST_MISSING_LICENSE (Allowed: firebase/agent-skills is licensed Apache-2.0 at the repository root; upstream does not embed an SPDX license identifier in per-skill SKILL.md frontmatter.)

---

Summary: Scanned 11 skill(s), found 143 blocking issue(s).

⚠️ Action Required: Review the blocking findings. Add a justified entry to the skill's security.allowed_issues[] in its spec.yaml if the finding is a false positive.