pgpm
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill documentation is focused on the legitimate use of the pgpm tool for database lifecycle management.
- [EXTERNAL_DOWNLOADS]: The skill facilitates downloading database modules and extensions from the npm registry (e.g.,
@pgpm/*packages). These are standard operations for a package manager and target well-known package registries. - [COMMAND_EXECUTION]: The skill uses standard CLI commands for managing Docker containers (
pgpm docker start) and environment variables. These operations are restricted to the local development environment and are standard for the described workflow. - [DATA_EXFILTRATION]: No patterns for unauthorized data exfiltration were detected. The use of standard PostgreSQL environment variables (PGHOST, PGPORT, etc.) is documented for local connectivity.
- [REMOTE_CODE_EXECUTION]: While the skill involves installing and running packages from npm, these are expected behaviors for a developer tool and originate from the tool's own ecosystem.
Audit Metadata