Back to skill
Skillv1.0.0
ClawScan security
database-schema-designer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:17 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only database schema design helper whose examples and instructions align with its stated purpose and do not request unexpected credentials or installation.
- Guidance
- This skill is instruction-only and appears coherent with its purpose. Before using any generated migrations or seed scripts, review them manually and run them in a safe/staging environment (do not paste your production DATABASE_URL into an external tool). Pay attention to RLS policies and set_config usage — ensure they match your app's authentication model. The SKILL.md contains code examples (including a sample password in seed code); treat those as examples only and replace with secure values in real deployments.
Review Dimensions
- Purpose & Capability
- okName/description (Database Schema Designer) match the content: schema design guidance, migration examples (Prisma/Drizzle/Alembic), type generation, seed data, RLS policies, and ERD generation. All requested artifacts are consistent with a schema-design tool.
- Instruction Scope
- okSKILL.md contains prose and code examples only; it does not instruct the agent to read arbitrary host files, fetch secrets, or transmit data to external endpoints. Some examples reference typical runtime assumptions (e.g., env("DATABASE_URL"), calling set_config to set app.current_user_id) but these are sample snippets, not instructions to exfiltrate or access unrelated system data.
- Install Mechanism
- okNo install spec and no code files that will be executed by the platform. Being instruction-only means nothing is downloaded or written by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. Example files reference common variables like DATABASE_URL (expected for DB migrations), which is proportionate to the purpose and not requested by the skill itself.
- Persistence & Privilege
- okDefault privileges are used (always:false; autonomous invocation allowed which is normal). The skill does not request persistent system-wide changes or access to other skills' configs.