ClawHub
Back to skill

Security audit

postgres-pro

Security checks across malware telemetry and agentic risk

Overview

This PostgreSQL helper is not deceptive, but it tells an agent to carry out high-impact database operations without clear approval or safety boundaries.

Use this only for PostgreSQL administration tasks and treat it as advisory by default. Before letting it change schemas, configuration, authentication, replication, backups, failover, vacuum settings, or production systems, require a named target environment, a recent verified backup, a rollback plan, and explicit approval for each change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill can be invoked for broadly defined PostgreSQL-related tasks without clear trigger boundaries or scope limits, which increases the chance it will act in contexts where database changes are unsafe, incomplete, or not explicitly authorized. Because the skill is framed to review and then 'implement comprehensive PostgreSQL solutions,' ambiguous invocation can lead to overreach into production-affecting actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly directs itself to implement configuration, replication, backup, and failover changes but does not require safeguards such as change approval, maintenance windows, rollback plans, backup verification, or warnings about availability and data-loss risks. In a PostgreSQL administration context, these actions are inherently high impact and can cause outages, split-brain, failed recovery, degraded performance, or permanent data loss if performed automatically or prematurely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal