Dev Machine Database
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches a database-query purpose, but its helper script embeds a MySQL root password and can exceed the promised read-only, 50-row behavior.
Review before installing. Do not use this as-is with real development data until the hardcoded password is removed and rotated, the database account is changed to read-only least privilege, SQL and shell inputs are strictly validated, and Feishu output destinations are clearly controlled.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can view the skill file can see the database password, and queries run with broad database privilege rather than least privilege.
The skill embeds a root MySQL credential in the distributed source while the registry lists no primary credential or required environment variable. A root credential is broader than a scoped read-only database account.
MYSQL_USER = "root" MYSQL_PASSWORD = "123456" # MySQL 密码
Rotate this password, remove it from the skill file, use a secret manager or environment variable, and replace root with a read-only account limited to the intended databases and tables.
A mistaken or manipulated request could cause the agent to run non-read-only SQL or large queries against the development database.
The generic SQL helper only appends LIMIT to SELECT statements and does not reject INSERT, UPDATE, DELETE, DDL, multiple statements, or oversized existing LIMIT clauses, despite the skill's stated read-only scope.
def query_mysql_docker(sql, database=DATABASE, limit=50):
if "LIMIT" not in sql.upper() and sql.strip().upper().startswith("SELECT"):
sql = f"{sql.rstrip(';')} LIMIT {limit}"
cmd = f'docker exec {MYSQL_CONTAINER} mysql -u{MYSQL_USER} -p{MYSQL_PASSWORD} {database} -e "{sql}"'Enforce a strict allowlist for SELECT/SHOW/DESC only, validate table and column identifiers, reject multiple statements, cap LIMIT values, and rely on a database account that cannot modify data.
A crafted query or model error could execute unintended shell commands on the development machine, not just database reads.
User/model-derived SQL is interpolated into a remote command string passed through SSH. Quotes or shell metacharacters in generated SQL, table names, or WHERE clauses could escape the mysql command on the remote host.
cmd = f'docker exec {MYSQL_CONTAINER} mysql -u{MYSQL_USER} -p{MYSQL_PASSWORD} {database} -e "{sql}"'
returncode, stdout, stderr = ssh_command(cmd)Avoid building remote shell strings from user text. Use fixed argv/wrapper scripts, robust quoting such as shlex.quote for each shell argument, and strict SQL/identifier validation.
Database rows or statistics may appear in a Feishu conversation or channel, which could expose sensitive business data if the destination is shared.
The instructions say formatted database results are sent to Feishu, but the artifacts do not specify the recipient, channel, or approval boundary. The documented tables include users, orders, stores, and clients.
4. **格式化输出** - 表格形式展示 - 添加统计信息 - 发送到飞书
Confirm where Feishu output is posted, require user confirmation for sensitive results, and avoid sending raw user/order/client data to broad channels.