Skills
skills/constructive-io/constructive-skills/pgpm-env/Gen Agent Trust Hub

pgpm-env

Warn

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill frequently recommends the use of eval "$(pgpm env)" to load variables into the current shell session. This pattern executes the output of the pgpm CLI directly, which can lead to arbitrary command execution if the tool's output is compromised or maliciously influenced by configuration files.
  • [COMMAND_EXECUTION]: Documentation suggests using bash -c to execute concatenated command strings, which is a potential shell injection vector.
  • [COMMAND_EXECUTION]: The skill instructs users to modify persistent shell configuration files such as ~/.bashrc and ~/.zshrc to add aliases that automatically execute the eval logic in future sessions.
  • [CREDENTIALS_UNSAFE]: The documentation contains hardcoded default credentials (e.g., PGPASSWORD="password", PGUSER="supabase_admin"). Although intended for local development, hardcoding credentials in instruction files is a suboptimal security practice.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 05:14 AM