v1.0.0

PocketBase

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:32 AM.

Analysis

This is an instruction-only PocketBase reference; it mentions admin credentials and server-side hooks, but those are expected for building PocketBase backends.

GuidanceThis skill appears safe as a PocketBase reference, but be careful when using it for admin operations or server hooks: admin credentials can control backend data, and hook files run as backend code.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

JavaScript hooks go in `pb_hooks/*.pb.js` — the `.pb.js` extension is required
- Hooks run synchronously and block the request

The skill documents PocketBase server-side JavaScript hooks. This is a normal PocketBase development feature, but hook files execute as part of the backend runtime.

User impactGenerated or edited hook code could affect server behavior and request handling.

RecommendationReview hook code before deploying it and keep hooks limited to the intended backend behavior.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Admin endpoints need superuser auth, not regular user tokens
- Create admin token: `pb.admins.authWithPassword(email, password)`

The skill instructs use of PocketBase superuser/admin authentication. That is expected for admin API work, but it is high-privilege credential handling that users should treat carefully.

User impactIf the agent uses admin credentials, it could access or change privileged PocketBase backend data depending on the user's instructions and server permissions.

RecommendationOnly provide PocketBase admin credentials when needed, prefer least-privilege accounts where possible, and review any admin API changes before applying them.