database-doc-generator
WarnAudited by ClawScan on May 10, 2026.
Overview
The database documentation function is coherent, but the package still contains specific database credential details while also claiming those details were removed.
Do not treat this package as clean until the maintainer removes the specific database credential references and confirms any real credentials were rotated. If you still use it, use a dedicated read-only PostgreSQL account, enable SSL/TLS, keep credentials out of command-line history, and secure the generated Excel output.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If those values are or were real, they could expose a PostgreSQL database or indicate that published skill artifacts have mishandled secrets.
The artifact still publishes a specific database password, database name, host/IP, port, and privileged username. Even if historical, this is credential-like account access information and the document itself treats it as critical.
| Database Password | `Edan@edan` | 🔴 CRITICAL | **IMMEDIATE ROTATION** | ... `monitor_inform_test` at `192.168.3.87:5592` ... User `postgres` with password `Edan@edan`
Remove all concrete credential, host, database, and username values from distributed artifacts; rotate any affected credentials; purge repository history if needed; and rerun secret scanning before use.
Users may overtrust the package’s security claims and miss the remaining sensitive credential references.
The security document claims all specific credential references were removed while the same artifact still lists specific credential-like values.
Current Status: - ✅ All specific credential references have been removed ... previously found credentials (`Edan@edan`, `monitor_inform_test`, `192.168.3.87`, etc.)
Make the security status accurate, remove or fully sanitize historical credential details, and avoid claiming successful cleanup until the distributed artifacts verify clean.
The skill can access database schema metadata using the credentials you provide.
The skill requires user-supplied database connection details and network access. This is expected for its purpose, but it is sensitive authority.
export DB_HOST=your-actual-host ... export DB_USER=your-actual-username ... export DB_PASSWORD=your-actual-EXAMPLE_PASSWORD ... This skill requires network access to PostgreSQL databases
Use a dedicated read-only database account, require SSL/TLS, store credentials in environment variables or a protected config file, and avoid passing passwords on the command line.
Generated documentation may reveal the structure of every public table in the database.
When no table list is supplied, the script enumerates all public base tables and exports their structure. This is purpose-aligned, but broad by default.
if tables is None: ... tables = get_all_tables(conn) ... SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'
Specify only the tables needed when possible and store the resulting Excel file in a restricted location.