PostgreSQL Database
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with powerful database credentials, the skill could change or delete production data with the authority of that account.
The query helper executes a caller-provided SQL string and commits non-result statements, enabling write/delete operations without built-in confirmation, allowlisting, or read-only defaults.
cur.execute(query) ... conn.commit()
Use least-privilege or read-only database users by default, require explicit user confirmation for INSERT/UPDATE/DELETE/DDL, and add dry-run or transaction rollback guidance for risky changes.
A restore against the wrong database could remove existing tables or objects and cause broad data loss or service disruption.
The restore path always includes pg_restore --clean, which drops existing database objects during restore, with no confirmation or environment containment shown.
'--clean', # Drop existing objects
Require explicit confirmation before restore, warn clearly about --clean, default to non-destructive restore where possible, and restrict use to verified backup files and target databases.
The skill’s database actions will run with whatever privileges the configured PostgreSQL account has.
The script uses PostgreSQL credentials from the environment and defaults to the high-privilege postgres user if PGUSER is not set.
user=os.environ.get('PGUSER', 'postgres'), password=os.environ.get('PGPASSWORD', '')Configure a dedicated least-privilege PostgreSQL user and avoid using superuser credentials unless the specific task requires them.
Users may need to install dependencies manually, and dependency versions/provenance are not controlled by the skill package.
The skill documents required local tools and Python libraries, but the registry requirements and install spec do not declare or pin them.
- PostgreSQL client tools (psql, pg_dump) - Python 3.7+ - psycopg2 or asyncpg library
Declare required binaries, environment variables, and pinned Python dependencies in installation metadata or provide clear, trusted setup instructions.