Neon
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Neon CLI helper, but it can authenticate to and change cloud database resources, so destructive actions and secrets should be handled carefully.
This skill appears to be a straightforward reference for using neonctl. Before installing or invoking it, confirm the npm package source, use least-privilege Neon credentials, and require explicit confirmation before deleting or resetting any project, branch, database, or role.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using these commands could delete or reset Neon resources if directed incorrectly.
The skill documents destructive cloud database operations. They are consistent with a Neon management CLI, but should be used only when the user explicitly asks for them.
`neonctl projects delete <id>` ... `neonctl branches reset <branch-id> --project-id <id> --parent` ... `neonctl databases delete <name> --project-id <id> --branch-id <id>`
Require explicit user confirmation, resource IDs, and backup/rollback awareness before running delete or reset commands.
The agent may see or use Neon account credentials and database connection strings during normal operation.
The skill uses Neon authentication and can retrieve connection strings, which are expected for this integration but involve account access and database credentials.
`neonctl auth` ... `--api-key <key>` ... `neonctl connection-string --project-id <id>`
Use least-privilege Neon API keys where possible, avoid exposing connection strings unnecessarily, and do not paste secrets into unrelated chats or logs.
Installing a global CLI package changes the local environment and depends on the package source being trustworthy.
The skill relies on installing a global npm CLI package. This is expected for a CLI helper, but users are trusting the npm package and their local global Node environment.
install_command: "npm i -g neonctl"
Install neonctl from the official package source, keep it updated, and verify the package identity before installation.