Skillv1.0.3

ClawScan security

Claimable Postgres · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 17, 2026, 9:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements line up with its stated purpose (provisioning temporary Postgres instances); nothing requests unrelated credentials or system access, though the runtime guidance includes actions you should handle carefully (writing DB credentials to .env and running npx to fetch remote code).
Guidance: This skill appears to do what it says: create temporary Neon Postgres databases and give you a connection string. Before using it, consider: (1) Do not commit the returned DATABASE_URL to source control — add it to .gitignore or use an environment-local file. (2) The CLI option uses `npx neon-new@latest`, which fetches and runs code from npm at runtime; if you prefer not to execute remote code, use the REST API flow (curl) or review the package first. (3) The returned claim_url can be used to claim the DB into a Neon account — treat it as sensitive if you want to prevent others from claiming it. If you'd like, I can extract and display the agent workflow steps from the SKILL.md or produce a minimal-safe sequence (REST-only) you can run instead of the CLI flow.

Review Dimensions

Purpose & Capability: okThe skill claims to provision temporary Postgres DBs and its instructions only call the Neon claimable-postgres REST API / CLI / SDK and write the returned DATABASE_URL to a project .env. It does not request unrelated credentials, system services, or elevated privileges.
Instruction Scope: noteInstructions are focused on provisioning and managing the returned connection string. They direct the agent to POST to neon.new, parse the response, check and write a project's .env, and optionally run the CLI via npx. This is within scope, but two operational notes deserve attention: (1) writing secrets to .env can lead to accidental credential exposure if committed to source control, and (2) the CLI flow uses npx neon-new@latest which will download and execute code from npm at runtime — expected for a CLI but a runtime action you may want to vet or avoid.
Install Mechanism: okThere is no install spec in the skill bundle (instruction-only). The SKILL.md references using curl, npx, or installing packages/plugins, but those are user-invoked commands rather than an installer included in the skill. No downloads from untrusted URLs are baked into the skill itself.
Credentials: okThe skill declares no required environment variables or credentials and its instructions do not request unrelated secrets. It does instruct writing the returned connection_string into the project's .env, which is appropriate for the feature but is sensitive data that the user should protect.
Persistence & Privilege: okThe skill is not configured as always-on and does not request persistent system changes in its bundle. It allows normal agent invocation (disable-model-invocation: false), which is standard; this alone is not a red flag.