@ruvector/postgres-cli

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime repeatedly invokes "npx @ruvector/postgres-cli@latest", which causes npx to fetch and execute remote package code from the npm registry (see https://www.npmjs.com/package/@ruvector/postgres-cli), so external content is executed at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The skill includes install/uninstall and start/stop operations and references system data directories (e.g., /var/lib/pg) which can modify system state and may require elevated privileges, but it does not explicitly instruct privilege escalation, editing system service files, or creating OS users.