moai-domain-database

This skill is primarily documentation and example code for enterprise database architecture; it contains useful patterns for pooling, caching, monitoring, migrations, replication, and security. I did not find explicit malicious code, remote exfiltration endpoints, or obfuscated payloads. However, there are multiple security concerns: example snippets include plaintext passwords; several functions build and execute SQL from raw strings without shown sanitization (SQL injection risk); the replication example embeds passwords into connection strings; and the declared allowed-tools (Bash, WebFetch, WebSearch, Write/Edit) provide an agent the ability to run shell commands, fetch remote resources, and edit files, which raises supply-chain and operational risk if the skill is executed autonomously or given access to production secrets. Recommended mitigations: remove hardcoded passwords from examples, document secure secret handling (use vaults/ENV/secret managers), always parameterize SQL and validate identifiers before interpolating, restrict agent tooling or require explicit human approval for destructive operations, and ensure logs redact sensitive parameters.