Postgres Manager
PassAudited by ClawScan on May 10, 2026.
Overview
This skill coherently manages a local PostgreSQL Docker container, with the main cautions being local database mutation, persistent Docker state, default dev credentials, and minor provenance/version inconsistencies.
This appears safe for its stated local-development purpose. Before installing or using it, confirm you are comfortable letting it manage a Docker PostgreSQL container, change the default POSTGRES_PASSWORD if the machine or Docker network is shared, and be careful with dump/drop commands because they can alter local databases.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong database name, the user could modify or delete a local development database.
The script exposes database mutation operations including create, drop, and dump/import. These are central to the skill's purpose and include validation and confirmation for drop-db, but they can still alter or remove local development data.
./run.sh create-db <nome> ... ./run.sh drop-db <nome> ... ./run.sh dump <origem> <destino>
Use the status and list-dbs commands first, keep backups of important dev data, and verify database names before running dump or drop-db.
On a shared machine or shared Docker network, other local containers/users could access the dev database if the default password is left unchanged.
The container defaults to a simple development password. The artifacts disclose this and bind the host port to localhost, but other containers on the shared Docker network may be able to connect using the default credentials.
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-pgpass}Set a unique POSTGRES_PASSWORD before starting the container, especially on shared machines or when storing non-test data.
The container image source is a normal dependency for this kind of skill, but users rely on the upstream Docker image matching the expected PostgreSQL build.
The runtime depends on pulling a public Docker image. The tag is version-pinned, which is better than latest, but it is not digest-pinned.
image: postgres:16.4-alpine
Use trusted Docker registries and consider digest-pinning the image if reproducibility or supply-chain assurance is important.
The database service and its data may remain available after the immediate task completes, consuming resources and retaining local data.
The PostgreSQL container is configured to keep running and restart after Docker daemon restarts. This persistence is disclosed in SKILL.md and is expected for a local database service.
restart: unless-stopped
Run ./run.sh stop when finished, and only use docker compose down -v if you intentionally want to delete the persisted volume.