Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Go Data Persistence
v2.3.0Data persistence patterns in Go covering raw SQL with sqlx/pgx, ORMs like Ent and GORM, connection pooling, migrations with golang-migrate, and transaction m...
⭐ 0· 55·0 current·0 all-time
byKevin Anderson@anderskev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The documented content (pgx/sqlx, Ent/GORM, golang-migrate, connection pooling, transactions) aligns with the skill name and description. However, the SKILL metadata lists no required environment variables or binaries while the instructions repeatedly reference DATABASE_URL and recommend installing the 'migrate' CLI and using go install. That metadata/instruction mismatch is unexpected but plausibly an authoring oversight.
Instruction Scope
The instructions tell the operator/agent to read environment variables (e.g., os.Getenv("DATABASE_URL")), run migration commands (migrate CLI via a DB URL), and suggest embedding and running migrations at startup. Those actions are within the normal scope for a migrations/persistence guide, but they imply the agent or developer will use database credentials and run commands that modify production databases — which is sensitive. The SKILL.md does not explicitly document this required credential in the registry metadata, and the instructions assume permission to run CLI installs and migrations.
Install Mechanism
There is no install spec in the registry (instruction-only), so nothing is written automatically to disk by the skill. The docs recommend using 'go install' for golang-migrate which is a normal developer step; no download-from-arbitrary-URL or archive extraction is present in the skill files.
Credentials
The skill metadata declares no required environment variables, but the instructions and examples rely on DATABASE_URL and os.Getenv calls; this is a mismatch. Requiring direct database credentials (DATABASE_URL) is expected for migration and DB-access docs, but the registry should list them. Users must be aware that following the instructions requires providing DB credentials and that running migrations will perform schema changes — privileges should be tightly scoped and backups taken.
Persistence & Privilege
The skill is not 'always' enabled and doesn't request persistent system-level privileges. It is user-invocable and allows autonomous model invocation (the platform default). There is no evidence the skill attempts to modify other skills or system-wide agent configuration.
What to consider before installing
This is a documentation-only skill about Go database patterns and migrations. Before installing or using it: 1) note that the docs assume a DATABASE_URL (database credentials) and recommend installing/running the golang-migrate CLI — the registry metadata does not declare this, so treat it as an authoring omission rather than a platform-provided requirement. 2) Running migrations will change your production schema — always review migration SQL, run them against a test/ staging copy first, and back up the database. 3) Use a least-privilege DB user for migrations (and prefer a migration user that cannot drop unrelated databases). 4) If you plan to have an agent execute these instructions autonomously, restrict the agent's access to credentials and ensure you trust the migration files; autonomous invocation combined with DB write access can cause broad impact. If the missing DATABASE_URL declaration or the expectation to run go install concerns you, ask the skill author to update the metadata to list required env vars and any recommended binaries.Like a lobster shell, security has layers — review code before you run it.
latestvk979avb16q14q8sm2k691ykrq183d14b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.