Turso
Security checks across static analysis, malware telemetry, and agentic risk
Overview
No hidden behavior is evident, but users should treat its Turso account, token, delete, billing, and installer commands carefully.
Install this only if you intend to manage Turso resources through the CLI. Confirm destructive or billing-related commands carefully, keep Turso tokens private, prefer expiring database tokens, and verify the CLI installer source before running the setup commands.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using these commands could delete Turso resources or change the account plan if the user asks unclearly or approves the wrong command.
The skill lists destructive database/group operations and a plan upgrade command. These are purpose-aligned Turso CLI capabilities, but they can materially affect data or billing if used without explicit user intent.
`turso db destroy <name>` ... `turso group destroy <name>` ... `turso plan upgrade`
Only allow these commands after an explicit user request and a clear confirmation of the target database, group, organization, and billing impact.
Tokens shown to or created by the agent may grant continued access to Turso databases or the Turso account until revoked.
The skill documents Turso login, retrieval of an auth token, and creation of non-expiring database tokens. This is expected for Turso administration, but it involves sensitive credentials and long-lived access.
`turso auth login` ... `turso auth token` ... `turso db tokens create <name> --expiration none`
Avoid printing or storing tokens unless necessary, prefer expiring tokens, and revoke any token that was exposed or no longer needed.
If the installer source or network path were compromised, installing the CLI could run unwanted code on the user’s machine.
The setup instructions install an external CLI, including a curl-to-bash remote installer. This is a common user-directed setup pattern, but it relies on the remote source being trustworthy at install time.
`brew install tursodatabase/tap/turso` ... `curl -sSfL https://get.tur.so/install.sh | bash`
Install from trusted sources, verify the Turso installer URL, and inspect or pin installation methods where possible.