ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Neon Database Complete Documentation

v0.1.0

Complete Neon Serverless Postgres documentation. Covers serverless setup, branching, autoscaling, integrations (Vercel, Drizzle, Prisma), connection pooling, extensions, and best practices.

2· 2.7k·0 current·0 all-time
by@leonaaardob
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe Neon Serverless Postgres docs and the package contains ~546 markdown docs from Neon. There are no unexpected required binaries, env vars, or install steps; the single JS file is a small shared-content helper. The requested footprint matches a documentation-only skill.
Instruction Scope
SKILL.md and the included documentation are reference material. Many docs include example commands and examples that reference env vars (DATABASE_URL, NEON_API_KEY, OPENAI_API_KEY) and curl/neonctl usage — which is normal for documentation. The SKILL.md includes an explicit Security Notice warning agents not to auto-execute commands, which mitigates accidental autonomous execution. Still, if an agent were to run examples automatically, they could cause side effects — treat the examples as inert unless you explicitly run them.
Install Mechanism
No install spec; this is instruction-only with files bundled in the skill. Nothing is downloaded or extracted at install time, so install risk is low.
Credentials
The skill declares no required credentials or config paths (none listed). However, many documentation pages show sample commands that expect API keys or connection strings. Those examples are expected in docs but are not required by the skill itself — do not provide secrets to the skill just because the docs show them.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill does not request to persist credentials or edit other skills. Autonomous invocation is allowed by default; this is typical for skills but combine caution with the instruction-scope note above.
Scan Findings in Context
[unicode-control-chars] unexpected: A prompt-injection pattern detector flagged unicode control characters in SKILL.md. In documentation dumps this can be benign (formatting/artifacts from extraction), but control characters can also be used for hidden instructions. Manual inspection flagged nothing else malicious; review SKILL.md for unexpected invisible characters before trusting automated processing.
Assessment
This skill appears to be a straightforward copy of Neon’s public documentation and is internally consistent. Before installing or enabling autonomous use: 1) Do not allow the agent to auto-execute any example commands — the package itself warns against it. 2) Never paste production secrets (NEON_API_KEY, DATABASE_URL, OPENAI_API_KEY, etc.) into prompts or request the skill to 'use' them without explicit, deliberate action. 3) If you plan to let an agent act autonomously with this skill, restrict it from executing shell commands or network operations unless you explicitly approve each action. 4) Inspect SKILL.md for any invisible/control characters (scan finding) and confirm the source (the homepage/repository listed matches Neon’s public docs). If you need higher assurance, fetch docs directly from the official Neon repo/website and compare hashes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dppxwn9fmh0npyty4cb9sm580qfe2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments