postgres
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: Several scripts (
secure_setup.sh,secure_setup.py,add_client.py,cleanup_client.py, andget_admin_conn.sh) execute external CLI tools such asdoctl,gh, andpsqlto manage infrastructure. - These executions are the primary function of the skill and are performed using structured command lists (e.g.,
subprocess.run(['doctl', ...])) rather than raw shell strings. - Input variables used as SQL identifiers (like schema names or usernames) are validated against a strict regular expression (
^[A-Za-z_][A-Za-z0-9_]*$) to prevent injection attacks. - [CREDENTIALS_UNSAFE]: Static detection flagged potential hardcoded connection strings in
scripts/secure_setup.pyandreference/path-b-schema-isolation.md. - Detailed review confirms these are non-sensitive templates and documentation examples using placeholders like
{username}:{password}orCHANGE_ME_SECURE_PASSWORD. - The skill does not contain any actual hardcoded secrets.
- [DATA_EXFILTRATION]: The skill handles sensitive database credentials during setup processes.
- Passwords are generated using cryptographically secure methods (
secretsmodule in Python,opensslin shell). - The 'Hands-Free' setup scripts are designed to transmit generated passwords directly to GitHub Secrets using the
ghCLI, ensuring credentials are never printed to the console or stored in local logs. - [SAFE]: The skill is authored by an official DigitalOcean entity and exclusively interacts with verified services and tools. The use of bindable variables for managed databases represents a high-security pattern that eliminates the need for manual password handling by the user.
Audit Metadata