motherduckdb/motherduck-security-governance
plugins/motherduck-skills-claude/skills/motherduck-security-governance/SKILL.md
Explain MotherDuck security, governance, and access-control patterns. Use for any question about SOC 2, GDPR, compliance, data residency, regions, SSO, service accounts, token handling, tenant isolation, sharing boundaries, snapshots and recovery, or governance posture — including when a security_compliance_owner, technical_owner, or application_builder is evaluating MotherDuck.
$ install --global
skillsauthnpx skillsauth add motherduckdb/agent-skills motherduck-security-governanceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 2:35 AM300.2s2 files scanned
SKILL.md
- name:
- motherduck-security-governance
- description:
- Explain MotherDuck security, governance, and access-control patterns. Use for any question about SOC 2, GDPR, compliance, data residency, regions, SSO, service accounts, token handling, tenant isolation, sharing boundaries, snapshots and recovery, or governance posture — including when a security_compliance_owner, technical_owner, or application_builder is evaluating MotherDuck.
- argument-hint:
- [security-question]
- license:
- MIT
Security and Governance
Use this skill when the user is evaluating whether MotherDuck can meet their security, governance, and deployment requirements. This is a workflow skill focused on control boundaries and safe patterns.
Source Of Truth
- Prefer current MotherDuck public trust, security, pricing, and product documentation.
- If the MotherDuck MCP
ask_docs_questionfeature is available, use it first. - Use current SSO and data-recovery docs when the requirement involves identity-provider login, restore windows, named snapshots, or
UNDROP DATABASE. - Verify claims against live public materials before making compliance or commercial assertions.
Default Posture
- Prefer service accounts for production systems, not personal tokens.
- Keep credentials in backend-controlled secrets, not browsers or hardcoded notebooks.
- Prefer structural isolation over query-time tenant filtering for serious B2B or CFA workloads.
- Treat region and residency as first-class architectural constraints that require current public confirmation.
- Be explicit about whether the boundary is a share, a Dive, a database, or a full application.
- Separate documented product guarantees from architectural recommendations and assumptions in the final answer.
Workflow
- Identify where credentials live and who administers them.
- Define the actual isolation boundary: account, database, schema, or query filter.
- Determine who can read, write, share, or administer the data.
- Check whether residency, compliance, or contractual guarantees are part of the requirement.
- Use only publicly documented security anchors unless the user has current commercial documentation in hand.
Open Next
- Read
references/SECURITY_GOVERNANCE_PLAYBOOK.mdfor public security anchors, service-account posture, residency framing, sharing boundaries, and what not to overstate
Related Skills
motherduck-connectfor secure token handling and endpoint selectionmotherduck-explorewhen governance depends on what data is actually present and how it is partitionedmotherduck-share-datawhen the design includes governed data distribution
Related Skills
motherduckdb/motherduck-create-flight
development
VerifiedTrustedCommunity
Create, schedule, run, and debug MotherDuck Flights — Python jobs that run on MotherDuck compute. Use whenever someone wants to create a flight, schedule a Python script or recurring job on MotherDuck, set up scheduled ingestion from Postgres, dlt sources, S3, BigQuery, Snowflake, or APIs, refresh aggregates or transformations on a cron, or operate flights with get_flight_guide, create_flight, run_flight, flight logs, secrets, schedules, and versions.
30SKILL.mdUpdated Jun 11, 2026
motherduckdb/motherduck-create-flight
development
VerifiedTrustedCommunity
Create, schedule, run, and debug MotherDuck Flights — Python jobs that run on MotherDuck compute. Use whenever someone wants to create a flight, schedule a Python script or recurring job on MotherDuck, set up scheduled ingestion from Postgres, dlt sources, S3, BigQuery, Snowflake, or APIs, refresh aggregates or transformations on a cron, or operate flights with get_flight_guide, create_flight, run_flight, flight logs, secrets, schedules, and versions.
30SKILL.mdUpdated Jun 11, 2026
motherduckdb/motherduck-share-data
data-ai
VerifiedTrustedCommunity
Create and manage MotherDuck data shares for zero-copy, read-only data distribution. Use whenever someone wants to share a database with team members, another organization, or the public — covers CREATE SHARE, access/visibility/update modes, GRANT READ ON SHARE, attaching share URLs, UPDATE SHARE, and REFRESH DATABASE.
30SKILL.mdUpdated May 7, 2026
motherduckdb/motherduck-security-governance
development
VerifiedTrustedCommunity
Explain MotherDuck security, governance, and access-control patterns. Use for any question about SOC 2, GDPR, compliance, data residency, regions, SSO, service accounts, token handling, tenant isolation, sharing boundaries, snapshots and recovery, or governance posture — including when a security_compliance_owner, technical_owner, or application_builder is evaluating MotherDuck.
30SKILL.mdUpdated May 7, 2026