Back to skill
Skillv1.0.0
ClawScan security
Postgres Query Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 12:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only PostgreSQL query‑optimization helper that asks users for query text, EXPLAIN output and schema information and gives optimization advice — it does not request unrelated credentials, installs, or system access.
- Guidance
- This skill appears to do what it says and is instruction-only (no installs or hidden requirements). Before using it, avoid pasting DB credentials, full production row data with PII, or connection strings into the chat — instead paste EXPLAIN/ANALYZE output, schema (\d+), and anonymized statistics. Treat any CREATE INDEX / SET work_mem / configuration commands it suggests as recommendations: review them and run them in a controlled environment (or with DB backups) before applying to production.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md exclusively describes analyzing EXPLAIN/ANALYZE output, asking the user for schema/stats, and recommending indexes/query rewrites and configuration changes. There are no unrelated required binaries, env vars, or installs.
- Instruction Scope
- okInstructions stay within the expected scope: they instruct the agent to parse queries/plans and to ask the user to run specific psql queries (\d+, EXPLAIN, pg_stats, etc.) or paste outputs. The skill does not instruct the agent to read local files, environment variables, or send data to external endpoints.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, so nothing is written to disk or fetched at install time.
- Credentials
- noteThe skill itself requests no credentials or env vars (proportionate). However, real usage requires the user to run queries against their DB and paste outputs; users should avoid pasting connection strings, passwords, or sensitive row data when sharing context.
- Persistence & Privilege
- okalways is false and there is no mechanism to persist or alter other skills/config. The skill does not request elevated platform privileges.