Db Explorer
ReviewAudited by ClawScan on May 15, 2026.
Overview
Db Explorer is a coherent instruction-only database helper, but it uses powerful database credentials and commands, so users should use least-privileged access and review queries before running them.
This skill appears benign and purpose-aligned, but database access is inherently sensitive. Before using it, provide read-only or narrowly scoped credentials, review every query before it runs, be especially careful with exports and write/delete/drop operations, and clean up any temporary data files afterward.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a privileged production credential, the agent may be able to view, export, or, with confirmation, modify sensitive database records.
The skill expects database credentials from the user. This is necessary for its purpose, but the credential may grant broad access depending on the account provided.
Ask the user for: - Database type (postgres/mysql/sqlite/mongo/redis) - Connection string OR host/port/database/user/password
Use least-privileged or read-only database users, avoid sharing reusable passwords in chat when possible, and rotate credentials if they may have been exposed.
A mistaken approval or incorrect query could alter or delete database data.
The instructions allow high-impact database write or destructive commands if the user confirms them, while also documenting a confirmation requirement.
Read-only by default — Never run INSERT/UPDATE/DELETE/DROP without explicit user confirmation
Review the exact SQL or database command before approval, test risky changes in a transaction or staging database, and keep the read-only default unless a write is truly needed.
Exported files may contain sensitive data and may remain on disk after the task is complete.
The skill documents full-table export commands. This is aligned with the export purpose, but it can copy sensitive or large datasets to local files.
psql "$CONN" -c "\copy (SELECT * FROM table_name) TO '/tmp/export.csv' WITH CSV HEADER"
Export only the needed rows and columns, store files in an appropriate secure location, and delete temporary exports when finished.
Installing database clients from untrusted or incorrect sources could introduce unrelated local software risk.
The skill relies on external database client tools installed separately through package managers. This is normal for the purpose and is not automatic, but users should install from trusted sources.
PostgreSQL | psql | brew install postgresql | apt install postgresql-client
Use official package repositories or vendor instructions, and verify the tool being installed before running database commands.