Back to skill
Skillv1.0.0
ClawScan security
Db Table Compare · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 30, 2026, 12:02 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's purpose (compare MySQL vs ODPS schemas) matches the instructions, but the SKILL.md expects SSH access, internal hosts, and DB credentials while declaring no required credentials or config — this mismatch is suspicious and needs clarification before use.
- Guidance
- Do not install or run this skill until the following are clarified and mitigated: (1) How will the agent obtain read-only DB credentials and SSH access? The SKILL.md shows real hostnames and an SSH alias but declares no required env vars—ask the publisher to add explicit requires.env and guidance for using least-privilege, read-only accounts. (2) Confirm that 'ssh datax' and /mnt/www/... are valid for your environment; the skill assumes internal network access. (3) Never provide high-privilege credentials inline; prefer scoped service accounts and secret management. (4) Test in an isolated environment first (no production credentials), and verify the skill truly only runs DESC/SHOW CREATE TABLE and does not execute generated DDL. (5) Request the author to remove hard-coded examples of internal hosts and to document exact network/SSH/credential requirements before granting access.
Review Dimensions
- Purpose & Capability
- concernThe stated purpose (schema diff between MySQL and ODPS) legitimately requires DB credentials and access to odpscmd over SSH; the SKILL.md indeed shows commands that use MySQL (pymysql) and SSH/odpscmd. However, the skill declares no required environment variables, credentials, or config paths, and it includes hard-coded internal hostnames and an SSH alias ('ssh datax' and core-dev-db.fex.pub). The lack of declared access requirements and presence of environment-specific hosts is inconsistent.
- Instruction Scope
- concernThe runtime instructions explicitly run shell/python one-liners that connect to MySQL and run odpscmd over SSH. They reference internal filesystem paths (/mnt/www/addr/th_odpscmd/bin), an SSH alias, and sample credentials. While the SKILL.md says it only performs read-only DESC/SHOW CREATE TABLE, it still requires network/SSH access and secrets that are not declared; the instructions also include an inline password example and assume local SSH key/config, which broadens scope unexpectedly.
- Install Mechanism
- okInstruction-only skill with no install spec or code files. This minimizes on-disk installation risk; there is no package download or execution installer to review.
- Credentials
- concernThe skill declares no required env vars or primary credential, yet the SKILL.md demonstrates using database credentials and SSH access. Required secrets (DB password, SSH keys) are implied but not declared. This is disproportionate: a schema-compare skill should explicitly declare how it obtains read-only credentials and any SSH/config requirements.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent or elevated platform privileges. Autonomous invocation is allowed but is the platform default and not itself flagged here.