neon-postgres
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to run
npx neonctl@latest initto set up the environment, install VSCode extensions, and configure MCP servers. - Evidence: Found in
references/devtools.mdandreferences/getting-started.md. This is a standard initialization command for the vendor's official CLI tool. - [EXTERNAL_DOWNLOADS]: The skill fetches documentation and index files directly from the vendor's official domain.
- Evidence:
SKILL.mdsuggests fetching markdown fromhttps://neon.com/docs/introduction/branching.mdand the docs index fromhttps://neon.com/docs/llms.txt. These are trusted vendor resources. - [DATA_EXPOSURE]: The skill provides instructions for reading and modifying local
.envfiles to storeDATABASE_URLandNEON_AUTH_COOKIE_SECRET. - Evidence: Found in
references/getting-started.md. The skill includes safety reminders to use environment variables and not commit connection strings to version control. - [INDIRECT_PROMPT_INJECTION]: The skill has an attack surface where it processes data from the user's local codebase and environment to determine the integration status.
- Ingestion points: Inspects existing connection code, ORM configurations, and
.envfiles (references/getting-started.md). - Boundary markers: No specific delimiters or boundary warnings are mentioned for the codebase inspection.
- Capability inventory: The skill can execute SQL queries, manage database branches, and provision auth resources via the Neon CLI or MCP server (
references/neon-cli.md,references/devtools.md). - Sanitization: Not explicitly specified for the codebase analysis phase.
Audit Metadata