Trust Assessment
claimable-postgres received a trust score of 0/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 3 critical, 1 high, 3 medium, and 1 low severity. Key findings include File read + network send exfiltration, Sensitive path access: Environment file, Potential Command Injection via User-Controlled CLI Options.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on May 1, 2026 (commit 38c7da85). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/claimable-postgres/SKILL.md:91 | |
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/claimable-postgres/SKILL.md:162 | |
| CRITICAL | Potential Command Injection via User-Controlled CLI Options The skill instructs the agent to execute `npx neon-new` and `psql` commands, allowing user-provided values for several options such as `--env`, `--key`, `--seed`, and `--ref` for `npx neon-new`, and the `seed.sql` file path for `psql`. If the agent directly interpolates unsanitized user input into these shell commands, a malicious user could inject arbitrary shell commands, leading to remote code execution or data exfiltration. For example, a user could provide `--env '; rm -rf /; #'` to execute a destructive command. The agent must strictly sanitize and validate all user-provided inputs before constructing and executing shell commands. Use command execution libraries that properly escape arguments (e.g., `shlex.quote` in Python) or validate inputs against a strict allowlist of safe characters and patterns. File paths should be validated to prevent directory traversal and ensure they point to expected locations. | LLM | SKILL.md:149 | |
| HIGH | Potential Command Injection via User-Controlled SQL Seed File Path The agent workflow for the API path includes executing `psql "$DATABASE_URL" -f seed.sql` if the user has a seed SQL file. If the `seed.sql` file path is directly taken from user input without proper sanitization, a malicious user could provide a path containing shell metacharacters or pointing to an executable script, leading to command injection. The agent must strictly validate and sanitize the `seed.sql` file path provided by the user. Ensure the path is within expected boundaries, does not contain malicious characters, and points to a valid SQL file. Consider using a dedicated API for file operations rather than direct shell execution if possible, or ensure robust input escaping. | LLM | SKILL.md:160 | |
| MEDIUM | Sensitive path access: Environment file Access to Environment file path detected: '.env.local'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/claimable-postgres/SKILL.md:91 | |
| MEDIUM | Sensitive path access: Environment file Access to Environment file path detected: '.env.local'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/claimable-postgres/SKILL.md:162 | |
| MEDIUM | Excessive Permissions Required for Shell Execution and File I/O The skill requires the agent to execute arbitrary shell commands (`npx`, `psql`, `curl`) and perform file I/O operations (reading `seed.sql`, writing to `.env` files at user-specified paths). While necessary for the skill's functionality, this broad capability, especially when combined with potential command injection vulnerabilities, increases the attack surface. An exploited vulnerability could allow an attacker to read/write arbitrary files or execute arbitrary commands on the agent's host system. Implement strict sandboxing for the agent's execution environment to limit its access to the filesystem and network. Restrict file write operations to specific, designated directories. Ensure that the agent's permissions are minimized to only what is absolutely necessary for the skill to function. | LLM | SKILL.md:149 | |
| LOW | Supply Chain Risk from Unpinned Dependency Version The skill explicitly instructs the agent to use `npx neon-new@latest`. While this ensures the latest features and bug fixes, it also introduces a supply chain risk. If a malicious update to the `neon-new` package is published, the agent would automatically download and execute it without a version pin, potentially leading to compromise. Consider pinning the `neon-new` package to a specific major or minor version (e.g., `npx neon-new@1.2.3`) instead of `@latest`. This provides greater stability and reduces the risk of automatically pulling a compromised or breaking version. Regular security audits of dependencies should also be performed. | LLM | SKILL.md:146 |
Scan History
Embed Code
[](https://skillshield.io/report/3392a4f163cc518f)
Powered by SkillShield