ClawHub

Zero TiDB(Deprecated)

PassAudited by ClawScan on May 1, 2026.

Overview

This instruction-only skill coherently creates temporary TiDB databases, with the main caution that it calls an external API and saves generated database credentials locally.

Use this skill only if you want an agent to create a temporary TiDB Cloud Zero database. Expect an outbound call to zero.tidbapi.com and a local file containing database credentials; secure or delete that file after use, and treat the Technical Preview/deprecated status as a reliability consideration.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

Using the skill may create a remote ephemeral database, write its connection details locally, and run SQL commands against it.

Why it was flagged

The skill tells the agent/user to call an external API, write the response to a local file, and run SQL through a CLI. This is central to the skill's purpose, but it is still an external action the user should intentionally approve.

Skill content
curl -s -X POST https://zero.tidbapi.com/v1alpha1/instances ... | tee tidb-zero.json ... mysql "<connectionString>" -e "SELECT 1 AS health_check, 2 AS example_value;"
Recommendation

Run these steps only when you intend to provision a TiDB Cloud Zero database; verify the endpoint and review commands before execution.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone who obtains the saved response file or exposed connection string could connect to the temporary database and view or modify its contents until it expires.

Why it was flagged

The API returns database credentials and the skill instructs saving them locally. This is expected for a database provisioning skill, but those credentials can access the temporary database until expiration.

Skill content
`instance.connection` fields: `host`, `port`, `username`, `password` ... `save the instance details to a local file ... contains sensitive credentials`
Recommendation

Store the generated JSON file securely, do not commit or share it, avoid exposing passwords in logs or command history, and delete the file when finished.