ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sqlformat

v2.0.0

Format, lint, and pretty-print SQL with dialect conversion. Use when checking style, validating syntax, formatting queries, generating clean SQL.

0· 96·0 current·0 all-time
by@bytesagain3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the implementation: a bash-based CLI that formats/lints/records SQL-related entries. Required tools and declared capabilities align with a local devtool.
Instruction Scope
SKILL.md and script instruct the agent to accept SQL input and record timestamped entries to local log files (~/.local/share/sqlformat by default). This is within scope for a logger/formatter, but it means any SQL you pass (including connection strings, queries with literals, or credentials) will be stored in plain text. The SKILL.md does not explicitly warn about logging sensitive data.
Install Mechanism
No install spec or downloads are present; the skill is instruction + a local bash script. No external package installs or remote downloads are used.
Credentials
No credentials or secret environment variables are required. One optional env var (SQLFORMAT_DIR) controls storage location, which is reasonable. However, the skill's logging behavior creates a data persistence risk for any sensitive SQL passed to it.
Persistence & Privilege
The skill creates and writes only its own data directory under the user's home (~/.local/share/sqlformat by default). always:false and no system-wide configuration changes are requested.
Assessment
This skill appears to be a straightforward local SQL formatting/linting CLI that stores all inputs in plain-text log files. Before installing or running: 1) Inspect the full script (the provided script snippet appears truncated in the review copy) to confirm there are no hidden network calls or unexpected commands. 2) Avoid passing any sensitive data (passwords, connection strings, or PII) to the tool; anything you pass can be logged. 3) If you need to use it with sensitive queries, set SQLFORMAT_DIR to a secure directory with restrictive permissions (chmod 700) or use a temporary/sandboxed account. 4) Periodically review and securely delete logs (or add redaction) if they contain secrets. 5) Because the tool stores data locally, there is no automatic exfiltration observed in the visible code, but verify the remainder of the script before trusting it in sensitive environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fej699xhb77jkzsntwzkxzh835n9c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments