PocketBase
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only PocketBase reference; it mentions admin credentials and server-side hooks, but those are expected for building PocketBase backends.
This skill appears safe as a PocketBase reference, but be careful when using it for admin operations or server hooks: admin credentials can control backend data, and hook files run as backend code.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses admin credentials, it could access or change privileged PocketBase backend data depending on the user's instructions and server permissions.
The skill instructs use of PocketBase superuser/admin authentication. That is expected for admin API work, but it is high-privilege credential handling that users should treat carefully.
Admin endpoints need superuser auth, not regular user tokens - Create admin token: `pb.admins.authWithPassword(email, password)`
Only provide PocketBase admin credentials when needed, prefer least-privilege accounts where possible, and review any admin API changes before applying them.
Generated or edited hook code could affect server behavior and request handling.
The skill documents PocketBase server-side JavaScript hooks. This is a normal PocketBase development feature, but hook files execute as part of the backend runtime.
JavaScript hooks go in `pb_hooks/*.pb.js` — the `.pb.js` extension is required - Hooks run synchronously and block the request
Review hook code before deploying it and keep hooks limited to the intended backend behavior.