Neon Postgres
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a benign instruction-only Neon Postgres guide with no code or install step, but users should review optional CLI, MCP, and API-key workflows before using them.
This skill appears safe to install as a documentation aid. Before running any suggested npx, CLI, MCP, or Admin API workflow, verify it against Neon’s official docs, use least-privilege credentials, and manually approve actions that create, modify, or delete Neon resources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the API or CLI guidance could lead to changes in a Neon account or database environment.
The guide covers resource-management APIs that can change Neon projects, endpoints, or related infrastructure if a user applies the guidance.
The Neon Admin API can be used to manage Neon resources programmatically... direct HTTP automation, endpoint-level control, API key auth
Treat resource-changing API or CLI steps as user-approved actions, review commands before running them, and prefer least-impact changes such as test branches.
A Neon API key may allow management actions on Neon resources depending on its permissions.
The skill documents API-key-authenticated access to Neon management APIs; this is expected for the purpose but involves account authority.
Use this for direct HTTP automation, endpoint-level control, API key auth, rate-limit handling, and operation polling.
Use scoped or limited API keys where available, avoid pasting secrets into shared chats, and rotate keys if they are exposed.
Running the command would fetch and execute external Neon CLI tooling from the package ecosystem.
The referenced npx command uses the latest external CLI package when run; this is user-directed and purpose-aligned, but not pinned.
Use this for local development enablement with `npx neonctl@latest init`, VSCode extension setup, and Neon MCP server configuration.
Verify the package source and official documentation before running npx commands, and pin versions in reproducible or CI environments.
If configured, an MCP server may expose Neon operations to an agent or development environment.
The skill references MCP-based Neon operations; MCP integrations can bridge an agent to account-management capabilities.
Use the neonctl CLI or MCP server to create, inspect, and compare branches.
Only configure trusted MCP servers, review their permissions, and confirm account-changing actions before allowing them to proceed.