Automated audit: This issue was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the findings on their merits.
Summary
NLPM (a natural language programming linter) audited this repository and found it in excellent shape overall — 94/100 NL quality score across 9 skill files. The TimescaleDB trilogy is well-structured, cross-references are consistent, and the API deprecation table in setup-timescaledb-hypertables is a nice touch.
This issue documents two security findings from the automated audit and links the corresponding fix PRs.
NLPM Methodology
NLPM scores natural-language artifacts (SKILL.md, CLAUDE.md, agent definitions) on a 100-point scale, checking for: missing frontmatter, broken cross-references, vague quantifiers, structural conventions, and security patterns in executable surfaces (hooks, scripts, package manifests). Findings in the "Bugs" and "Medium/Low security" categories are offered as PRs; Critical/High findings are disclosed privately.
Security Findings
| # |
Severity |
File |
Finding |
PR |
| 1 |
Medium |
src/migrate.ts (lines 37, 42, 51) + src/apis/searchDocs.ts (lines 149–155) |
${schema} interpolated as unquoted SQL identifier; could break queries if DB_SCHEMA contains SQL metacharacters |
PR #104 |
| 2 |
Low |
package.json (lines 33–40) |
Six production dependencies use ^ caret ranges; fresh installs without the lock file may pull unexpected upgrades |
PR #105 |
NL Quality (informational, no PR)
The NL quality findings are minor and informational only — no PRs submitted for these:
CLAUDE.md: "required for gpt-5 compatibility" — GPT-5 doesn't exist; likely means GPT-4 or an internal model identifier- Several skill files: vague quantifiers like "appropriate", "usually", "mostly", "significantly", "roughly", "slightly" (−2 penalty each in NLPM scoring)
PRs Created
If any of these findings are incorrect, please let me know and I'll update the NLPM rule database accordingly.
Summary
NLPM (a natural language programming linter) audited this repository and found it in excellent shape overall — 94/100 NL quality score across 9 skill files. The TimescaleDB trilogy is well-structured, cross-references are consistent, and the API deprecation table in
setup-timescaledb-hypertablesis a nice touch.This issue documents two security findings from the automated audit and links the corresponding fix PRs.
NLPM Methodology
NLPM scores natural-language artifacts (SKILL.md, CLAUDE.md, agent definitions) on a 100-point scale, checking for: missing frontmatter, broken cross-references, vague quantifiers, structural conventions, and security patterns in executable surfaces (hooks, scripts, package manifests). Findings in the "Bugs" and "Medium/Low security" categories are offered as PRs; Critical/High findings are disclosed privately.
Security Findings
src/migrate.ts(lines 37, 42, 51) +src/apis/searchDocs.ts(lines 149–155)${schema}interpolated as unquoted SQL identifier; could break queries ifDB_SCHEMAcontains SQL metacharacterspackage.json(lines 33–40)^caret ranges; fresh installs without the lock file may pull unexpected upgradesNL Quality (informational, no PR)
The NL quality findings are minor and informational only — no PRs submitted for these:
CLAUDE.md: "required for gpt-5 compatibility" — GPT-5 doesn't exist; likely means GPT-4 or an internal model identifierPRs Created
If any of these findings are incorrect, please let me know and I'll update the NLPM rule database accordingly.