docs: add note to tools (#608)

Co-authored-by: Averi Kitsch <akitsch@google.com>

docs/en/resources/tools/bigtable-sql.md

@@ -21,6 +21,11 @@ dialect, the specified SQL statement is executed as a [data manipulation
 language (DML)][bigtable-googlesql] statements, and specified parameters will
 inserted according to their name: e.g. `@name`.
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 [bigtable-googlesql]: https://cloud.google.com/bigtable/docs/googlesql-overview
 
 ## Example

docs/en/resources/tools/couchbase-sql.md

@@ -17,6 +17,11 @@ database. It's compatible with any of the following sources:
 The specified SQL statement is executed as a parameterized statement, and specified
 parameters will be used according to their name: e.g. `$id`.
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 ## Example
 
 ```yaml

docs/en/resources/tools/dgraph-dql.md

@@ -18,6 +18,11 @@ To run a statement as a query, you need to set the config `isQuery=true`. For
 upserts or mutations, set `isQuery=false`. You can also configure timeout for a
 query.
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 ## Example
 
 {{< tabpane persist="header" >}}

docs/en/resources/tools/mssql-execute-sql.md

@@ -18,6 +18,9 @@ database. It's compatible with any of the following sources:
 `mssql-execute-sql` takes one input parameter `sql` and run the sql
 statement against the `source`.
 
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
 ## Example
 
 ```yaml

docs/en/resources/tools/mssql-sql.md

@@ -23,6 +23,11 @@ Server and expects parameters in the SQL query to be in the form of either
 db.QueryContext(ctx, `select * from t where ID = @ID and Name = @p2;`, sql.Named("ID", 6), "Bob")
 ```
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 [prepare-statement]: https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-prepare-transact-sql?view=sql-server-ver16
 
 ## Example

docs/en/resources/tools/mysql-execute-sql.md

@@ -18,6 +18,9 @@ database. It's compatible with any of the following sources:
 `mysql-execute-sql` takes one input parameter `sql` and run the sql
 statement against the `source`.
 
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
 ## Example
 
 ```yaml

docs/en/resources/tools/mysql-sql.md

@@ -18,6 +18,11 @@ database. It's compatible with any of the following sources:
 The specified SQL statement is executed as a [prepared statement][mysql-prepare],
 and expects parameters in the SQL query to be in the form of placeholders `?`.
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 [mysql-prepare]: https://dev.mysql.com/doc/refman/8.4/en/sql-prepared-statements.html
 
 ## Example

docs/en/resources/tools/neo4j-cypher.md

@@ -18,6 +18,11 @@ The specified Cypher statement is executed as a [parameterized
 statement][neo4j-parameters], and specified parameters will be used according to
 their name: e.g. `$id`.
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 [neo4j-parameters]:
     https://neo4j.com/docs/cypher-manual/current/syntax/parameters/
 

docs/en/resources/tools/postgres-execute-sql.md

@@ -19,6 +19,9 @@ database. It's compatible with any of the following sources:
 `postgres-execute-sql` takes one input parameter `sql` and run the sql
 statement against the `source`.
 
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
 ## Example
 
 ```yaml

docs/en/resources/tools/postgres-sql.md

@@ -21,6 +21,11 @@ and specified parameters will inserted according to their position: e.g. `1`
 will be the first parameter specified, `$@` will be the second parameter, and so
 on.
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 [pg-prepare]: https://www.postgresql.org/docs/current/sql-prepare.html
 
 ## Example

docs/en/resources/tools/spanner-execute-sql.md

@@ -17,6 +17,9 @@ database. It's compatible with any of the following sources:
 `spanner-execute-sql` takes one input parameter `sql` and run the sql
 statement against the `source`.
 
+> **Note:** This tool is intended for developer assistant workflows with
+> human-in-the-loop and shouldn't be used for production agents.
+
 ## Example
 
 ```yaml

docs/en/resources/tools/spanner-sql.md

@@ -21,6 +21,11 @@ For the `googlesql` dialect, the specified SQL statement is executed as a [data
 manipulation language (DML)][gsql-dml] statements, and specified parameters will
 inserted according to their name: e.g. `@name`.
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 [gsql-dml]: https://cloud.google.com/spanner/docs/reference/standard-sql/dml-syntax
 
 ### PostgreSQL
@@ -30,6 +35,11 @@ statement][pg-prepare], and specified parameters will inserted according to
 their position: e.g. `$1` will be the first parameter specified, `$@` will be
 the second parameter, and so on.
 
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
+
 [pg-prepare]: https://www.postgresql.org/docs/current/sql-prepare.html
 
 ## Example

docs/en/resources/tools/sqlite-sql.md

@@ -16,7 +16,14 @@ It's compatible with any of the following sources:
 SQLite uses the `?` placeholder for parameters in SQL statements. Parameters are
 bound in the order they are provided.
 
-The statement field supports any valid SQLite SQL statement, including `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `CREATE/ALTER/DROP` table statements, and other DDL statements.
+The statement field supports any valid SQLite SQL statement, including `SELECT`,
+`INSERT`, `UPDATE`, `DELETE`, `CREATE/ALTER/DROP` table statements, and other
+DDL statements.
+
+> **Note:** This tool uses parameterized queries to prevent SQL injections.
+> Query parameters can be used as substitutes for arbitrary expressions.
+> Parameters cannot be used as substitutes for identifiers, column names, table
+> names, or other parts of the query.
 
 ### Example