database-admin
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a database admin helper, but it embeds a PostgreSQL administrator password and includes scripts capable of altering or duplicating data in a specific Roadflow database.
Do not use this skill against any real database until the embedded password is rotated and removed. If you still need it, run only in a test environment first, provide your own least-privilege credentials, review every generated SQL statement, require backups and dry-runs for migrations, and fix the packaging/dependency gaps.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill can see the database password, and an agent could use it to query or modify the Roadflow database if the host is reachable.
The skill instructions expose a hardcoded PostgreSQL postgres credential for a specific Roadflow database, despite the registry declaring no primary credential requirement.
主机: 192.168.1.136 ... 用户: postgres ... 密码: Hxkj510510 ... 目标库: roadflow
Rotate the exposed password, remove hardcoded secrets, require user-provided credentials through a secret store or environment variables, and use a least-privilege database role.
A mistaken or over-broad agent action could permanently drop columns, indexes, or otherwise alter database structure.
The migration helper constructs destructive SQL from supplied operation fields and executes it, with no artifact-backed approval gate, allowlist, dry-run default, or identifier validation.
`ALTER TABLE ${tableName} DROP COLUMN ${op.column};` ... `DROP INDEX IF EXISTS ${op.indexName};`Add explicit user confirmation for destructive operations, provide dry-run output first, validate and quote identifiers, require backups for migrations, and restrict the database role’s privileges.
A data migration could duplicate or corrupt many records across tables instead of copying a controlled batch once.
The migration loop does not apply LIMIT/OFFSET or increment offset, so the same broad INSERT can be executed repeatedly.
`INSERT INTO ${toTable} (SELECT * FROM ${fromTable} WHERE ${whereClause || 'TRUE'});` ... `while (offset < 10000) { await pool.query(query); totalInserted += batchSize; ... }`Fix batching logic, make migrations idempotent, report exact row counts before execution, and wrap data migrations in tested transactions with rollback plans.
The skill may fail to run as packaged or rely on undeclared local dependencies/files that were not part of this review.
These referenced files are not present in the supplied manifest, and the package also uses pg in code without declaring dependencies or an install spec.
"main": "scripts/index.js", "test": "node scripts/verify.js", "example:create-table": "node scripts/create-stock-info.js"
Include all referenced files, declare and pin required dependencies, and keep the registry requirements consistent with the runnable package.