pgpm-env

This skill documentation is primarily a benign usage guide for setting PostgreSQL environment variables and running commands with them. The main security concern is credential exposure and unsafe patterns: it demonstrates exporting plaintext passwords as examples and recommends `eval "$(pgpm env)"`, which will execute whatever the `pgpm` CLI outputs in the user's shell. That pattern is sensitive — if the `pgpm` binary or its update channel is compromised, an attacker could execute arbitrary shell commands in users' shells. There is also moderate risk that users will copy example passwords into real environments. No evidence of malicious code, obfuscation, or explicit exfiltration is present in this fragment. Recommended mitigations: avoid shipping example plaintext credentials, encourage secure secret handling (use .pgpass or secret managers), advise verifying the source of the `pgpm` CLI and avoid eval patterns with untrusted binaries, and validate/sanitize any user-provided command strings in implementations.