store-order-query

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill appears to do what it claims—query MySQL order data and create a local report—but users must protect the database credentials and generated order files.

Before installing, confirm you trust the source, use a dedicated read-only MySQL account limited to the intended order tables, do not use root/admin credentials, and protect the local config, order data, and report files. If you install dependencies, prefer a lockfile or pinned version.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If installed with an overly privileged MySQL account, the skill would operate with more database access than it needs.

Why it was flagged

The example configuration stores database credentials and uses a privileged root-account placeholder. This is purpose-aligned for a database query skill, but users should avoid broad database credentials.

Skill content

"user": "root", "password": "your_password"

Recommendation

Create a dedicated read-only MySQL user limited to the intended Order and OrderItems tables; do not use a root/admin database account.

Medium

#ASI06: Memory and Context Poisoning

What this means

Anyone with access to those local files may be able to view store order and sales information.

Why it was flagged

The workflow persists raw queried order data and the generated report in local files. This is disclosed and purpose-aligned, but order totals, payment methods, products, and SKU data may be sensitive business information.

Skill content

将数据保存到 `~/openclaw-skill-data/store-order-query/orders_data.json` ... `order_report.md`

Recommendation

Keep the skill data directory private, avoid sharing generated files unintentionally, and delete old order data/reports when no longer needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A dependency install may resolve to a newer compatible mysql2 release, which slightly increases supply-chain review needs.

Why it was flagged

The skill depends on an external MySQL driver using a semver range. This is expected for the stated database-query purpose, but package installs should be trusted and reproducible where possible.

Skill content

"dependencies": { "mysql2": "^3.6.0" }

Recommendation

Install from a trusted source and use a lockfile or pinned dependency version in sensitive environments.