Back to skill
Skillv1.0.0
ClawScan security
Neon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 4:38 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for the official neonctl CLI and its requirements and instructions are consistent with managing Neon Serverless Postgres via that tool.
- Guidance
- This skill is essentially documentation for using the neonctl CLI. Before installing or using it: 1) Confirm you trust the neonctl npm package (look at the npm page, maintainer, and version). 2) Be aware that global npm installs can run code during installation — consider installing in a controlled environment or using a container. 3) Only provide API keys when required and store them securely; the skill itself does not request secrets but the CLI will need authentication to act on your Neon account. 4) If you want the agent to run neonctl commands automatically, understand the agent will be able to invoke the CLI and perform operations on your Neon projects.
Review Dimensions
- Purpose & Capability
- okName, description, and provided commands all align with Neon/neonctl functionality (projects, branches, databases, roles, endpoints, connection strings). There are no unrelated binaries, env vars, or config paths requested.
- Instruction Scope
- okSKILL.md only documents installing neonctl, authenticating with neonctl, and running neonctl commands (with --output json recommended). It does not instruct reading unrelated files, scanning system state, or exfiltrating data.
- Install Mechanism
- noteThere is no formal install spec in the registry (instruction-only), but SKILL.md recommends `npm i -g neonctl`. Global npm installs are common for CLIs but run package install scripts — verify the neonctl package source and review npm package metadata before installing.
- Credentials
- okThe skill declares no required environment variables or credentials. The documented CLI supports an --api-key flag, which is expected and proportional for a cloud DB management tool.
- Persistence & Privilege
- okSkill is not always-enabled; it is user-invocable and allows normal autonomous invocation. It does not request system-wide persistence or modify other skills' configs.