skills/24601/surreal-skills/surrealdb/Gen Agent Trust Hub

surrealdb

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill demonstrates an exceptional security posture. It includes a dedicated SECURITY.md file, a SOURCES.json for provenance tracking, and a CI script to ensure version consistency. All diagnostic scripts are auditable and follow PEP 723 for transparent dependency management.
  • [COMMAND_EXECUTION]: The Python scripts (doctor.py, onboard.py, schema.py) execute local shell commands such as surreal version and gh api. These operations are used exclusively for environment verification and update monitoring. User-supplied inputs, such as table names in schema.py, are strictly validated against a safe alphanumeric regex ([a-zA-Z_][a-zA-Z0-9_]*) to prevent command or query injection.
  • [EXTERNAL_DOWNLOADS]: External references are limited to the official SurrealDB vendor organization on GitHub and standard package registries (PyPI, npm). The documentation proactively warns users about potential supply-chain risks, such as setup-time native library downloads in the experimental SurrealML package.
  • [CREDENTIALS_UNSAFE]: The skill correctly handles sensitive data by using environment variables (SURREAL_USER, SURREAL_PASS) and explicitly marking them as sensitive in the manifest. No hardcoded secrets or insecure credential storage patterns were found.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 02:52 AM
Security Audit — agent-trust-hub — surrealdb