Database Schema Differ
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned, but users should handle database credentials carefully, verify its live-database support, and review any generated migration SQL before use.
Before installing, confirm the tool supports your intended database workflow, use read-only credentials, avoid putting real passwords directly in command examples, review generated migrations before running them, and keep schema snapshots/output files private.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Database passwords or privileged accounts could be exposed through command history, process listings, or logs if pasted directly into commands.
The documented workflow uses database connection strings containing credentials, including comparisons across environments such as production. This is expected for schema comparison but gives the tool access to sensitive systems if real credentials are used.
python3 scripts/main.py compare postgresql://user:pass@host1/db postgresql://user:pass@host2/db
Use read-only database accounts, avoid embedding passwords directly in command lines when possible, and prefer safer credential mechanisms supported by the database client.
If a generated migration is run blindly, it could delete tables, columns, or indexes in a database.
The skill generates migration scripts that may contain destructive DDL. The artifacts show generation of scripts, not automatic execution, so this is purpose-aligned but still needs human review.
DROP TABLE IF EXISTS audit_logs; ... ALTER TABLE users DROP COLUMN IF EXISTS email_verified;
Review generated SQL manually, test it in a non-production environment, and keep backups before applying migrations.
Installing unverified packages or versions could introduce dependency risk.
The README asks users to install external Python packages, while the registry install spec is absent. These packages are normal for database tooling, but users should verify them because installation is manual.
pip3 install sqlalchemy alembic psycopg2-binary pymysql
Install from trusted package sources, consider pinning versions, and use a virtual environment.
Saved schema files may expose table names, column names, relationships, or internal architecture if shared or committed accidentally.
The skill stores schema snapshots/history for later comparison. This persistence is central to the purpose, but schema metadata can still reveal sensitive business structure.
Schema snapshots: Capture and store schema snapshots for historical comparison
Store snapshots securely, avoid committing sensitive schema exports to public repositories, and delete old snapshots when no longer needed.
Users may provide database URLs or expect live database functionality that the visible implementation may not actually support.
The visible code returns this error for non-SQL inputs, while the documentation advertises live database comparison via connection strings. This looks like an overstatement of capability rather than hidden malicious behavior.
"error": "Database connections not implemented in this version"
Test with non-sensitive SQL files first and confirm live database support before providing production credentials.