Claimable Postgres

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for creating temporary Neon Postgres databases, with expected but manageable handling of database credentials.

Install this only if you are comfortable with the agent creating temporary Neon databases and storing generated connection strings in project env files. Use it for development, demos, and tests rather than production or sensitive data, keep .env files out of source control, and review external package use before choosing the npx or Vite plugin paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is broad enough to activate on common user phrasing such as requests for a quick or temporary database, which can cause the skill to engage and provision external resources in situations where the user did not explicitly consent to using Neon. In this skill's context, that broad matching is more dangerous because activation can lead directly to network calls and credential generation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The auto-provisioning section explicitly instructs the agent to create an external database when it 'needs' one, even if the user has not asked to create third-party infrastructure. That is risky because it authorizes outbound network activity, external resource creation, and credential handling without an explicit warning or opt-in from the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal