Planetscale Cli Skills

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate PlanetScale CLI helper, but it gives agents ready-to-run commands for live database changes without enough safety guardrails.

Install only if you want an agent to help operate real PlanetScale resources. Before allowing commands, verify the org, database, branch, and environment; require explicit confirmation for delete, promote, deploy, revert, and script runs using deployment flags; keep tokens in a CI secret store or vault; avoid sharing terminal output that may contain credentials; and prefer reviewed deploy-request workflows over automatic production deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill documents operational commands that can delete databases or branches and promote schema changes without embedding clear user-facing warnings about irreversible or production-impacting actions. In an agent context, concise command references may be executed or suggested with limited scrutiny, increasing the chance of accidental destructive actions against real PlanetScale environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to export live service-token credentials and use them in automation, but it does not warn against logging, echoing, hardcoding, or committing those secrets. In a CI/CD context, this omission can lead to credential leakage through shell history, build logs, screenshots, or repository commits, potentially allowing unauthorized access to PlanetScale resources.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a destructive command, `pscale backup delete`, without any warning, verification step, or recommendation to confirm the target backup ID and branch before execution. In an agent setting, this increases the chance of accidental data-loss actions being suggested or executed against the wrong backup, especially because backup deletion is irreversible from the user's perspective.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes very generic terms such as "branch" and "create branch," which can cause this skill to activate for unrelated Git, CI/CD, or other branching contexts. Misrouting to a database-branch skill can lead an agent to suggest or prepare PlanetScale branch operations in the wrong context, increasing the chance of unintended infrastructure actions.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill presents destructive deletion commands as routine examples without an explicit warning, confirmation step, or guidance on production/protected branch risks. In an agent setting, this increases the likelihood that a user or downstream automation executes irreversible branch deletion against the wrong database branch, potentially disrupting migration workflows or losing in-progress schema work.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes the single word "database," which is overly broad and likely to activate this skill for many unrelated requests involving databases, not just PlanetScale CLI operations. In an agent setting, over-broad routing can cause the model to surface or suggest PlanetScale-specific commands in the wrong context, increasing the chance of unintended administrative or destructive actions.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill documents `pscale database delete <database>` as a common command without any warning about irreversibility, confirmation steps, environment checks, or safer alternatives. In a CLI-assistance skill for live database administration, presenting destructive deletion guidance without guardrails materially raises the risk of accidental production data loss or disruption.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents `deploy` and `revert` commands that directly affect production schema state, but it does not place an explicit warning near those commands about service impact, destructive schema effects, or possible user-data loss. In an agent skill context, concise command references can be executed or suggested with little friction, so missing safety framing increases the chance of unsafe production changes being performed without adequate review or backups.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The automation example includes `--auto-approve` for schema deployment without a clear warning that this bypasses manual review safeguards. In a production database workflow, auto-approval can cause unreviewed or incorrect schema changes to be deployed rapidly, amplifying the blast radius of mistakes or malicious modifications.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to create database passwords, shows a returned connection string containing credentials, and recommends exporting it to an environment variable without any warning about secret exposure, logging, shell history, or secure storage. It also includes destructive deletion commands without cautionary guidance, increasing the chance of accidental credential misuse, leakage, or service disruption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal