Claimable Postgres
v1.0.3Provision instant temporary Postgres databases via Claimable Postgres by Neon (neon.new) with no login, signup, or credit card. Supports REST API, CLI, and S...
⭐ 0· 436·0 current·0 all-time
byAndre Landgraf@andrelandgraf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to provision temporary Postgres DBs and its instructions only call the Neon claimable-postgres REST API / CLI / SDK and write the returned DATABASE_URL to a project .env. It does not request unrelated credentials, system services, or elevated privileges.
Instruction Scope
Instructions are focused on provisioning and managing the returned connection string. They direct the agent to POST to neon.new, parse the response, check and write a project's .env, and optionally run the CLI via npx. This is within scope, but two operational notes deserve attention: (1) writing secrets to .env can lead to accidental credential exposure if committed to source control, and (2) the CLI flow uses npx neon-new@latest which will download and execute code from npm at runtime — expected for a CLI but a runtime action you may want to vet or avoid.
Install Mechanism
There is no install spec in the skill bundle (instruction-only). The SKILL.md references using curl, npx, or installing packages/plugins, but those are user-invoked commands rather than an installer included in the skill. No downloads from untrusted URLs are baked into the skill itself.
Credentials
The skill declares no required environment variables or credentials and its instructions do not request unrelated secrets. It does instruct writing the returned connection_string into the project's .env, which is appropriate for the feature but is sensitive data that the user should protect.
Persistence & Privilege
The skill is not configured as always-on and does not request persistent system changes in its bundle. It allows normal agent invocation (disable-model-invocation: false), which is standard; this alone is not a red flag.
Assessment
This skill appears to do what it says: create temporary Neon Postgres databases and give you a connection string. Before using it, consider: (1) Do not commit the returned DATABASE_URL to source control — add it to .gitignore or use an environment-local file. (2) The CLI option uses `npx neon-new@latest`, which fetches and runs code from npm at runtime; if you prefer not to execute remote code, use the REST API flow (curl) or review the package first. (3) The returned claim_url can be used to claim the DB into a Neon account — treat it as sensitive if you want to prevent others from claiming it. If you'd like, I can extract and display the agent workflow steps from the SKILL.md or produce a minimal-safe sequence (REST-only) you can run instead of the CLI flow.Like a lobster shell, security has layers — review code before you run it.
latestvk978hyg89pfcekc78g25enwag1832yd9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.