surreal-sync
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may be running code from an external package source that was not reviewed in this artifact set.
The skill relies on installing an external Rust CLI that is not included in the provided artifacts, and the install command does not pin a reviewed version.
cargo install surreal-sync
Verify the crate or upstream repository, pin a trusted version where possible, and test installation in a non-production environment first.
Database credentials can grant broad read/write authority, and command-line passwords may be exposed through shell history or process listings.
The documented workflows require source database connection strings and SurrealDB credentials, including examples that place passwords directly on the command line.
--connection-string "postgresql://user:pass@localhost/mydb" ... --surreal-username root ... --surreal-password root
Use least-privilege migration accounts, avoid real passwords in saved command history, and prefer secure secret handling if the CLI supports it.
Running a command with the wrong source, target namespace, or database could create or alter data in an unintended SurrealDB environment.
The CLI can create database structures and perform ongoing synchronization, which is powerful but consistent with the skill's migration purpose.
- Automatic schema inference and SurrealDB table creation - Resumable sync with checkpoint tracking
Confirm source and target settings, back up important data, test in a staging namespace/database, and monitor CDC jobs before using production credentials.