Skillv1.0.0

ClawScan security

自然语言转 SQL 查询助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 11:36 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is coherent with its stated NL→SQL purpose, but it asks the user to supply database credentials and instructs the agent to remember connection info in conversation while the provided scripts pass passwords on the command line (exposing them to the local process list) — these behaviors increase risk and should be addressed before use.
Guidance: This skill appears to do what it says, but it requires you to provide database credentials and the included scripts pass passwords on the command line (mysql -p"password"), which can be visible to other local users and may be stored in process lists or logs. Also the skill instructs the agent to 'remember' connection info in the conversation — that could leave credentials in chat history. Before installing or using: (1) prefer giving a least-privilege, ephemeral DB account (read-only for queries; separate write account if necessary); (2) avoid providing production admin passwords in chat; (3) consider modifying the scripts to avoid passing passwords as CLI args (use mysql option files with restrictive permissions or prompt for password/stdin) or to accept a secure secret mechanism supported by your platform; (4) disable any long-term conversation memory for credentials or ensure the platform never persists them; (5) review and test the scripts in an isolated environment first. If you cannot accept these risks, treat the skill as unsafe to enable with real/privileged credentials.

Review Dimensions

Purpose & Capability: okName/description (convert NL to SQL and execute against MySQL) match the provided scripts and SKILL.md. The scripts implement schema discovery, listing databases, executing queries, and transactions, which are expected for this purpose.
Instruction Scope: concernSKILL.md instructs the agent to remember connection info in the conversation and to pass host/port/user/password to scripts. Scripts accept arbitrary SQL and will execute it; destruction safeguards are described (confirm before DELETE/DROP/TRUNCATE) but enforcement depends on the agent following rules. The instruction to cache credentials in conversation expands the skill's scope to handling sensitive secrets in chat history.
Install Mechanism: okNo install spec; instruction-only plus included shell scripts. Nothing is downloaded or written during install. This low-install footprint is proportionate to the skill's purpose.
Credentials: concernThe skill does not request unrelated environment credentials (no extraneous API keys), which is appropriate. However, it relies on users providing DB credentials and the scripts supply the password as mysql -p"PASSWORD" on the command line, which can expose passwords to other local users via process listings and shell histories. The requirement to 'remember connection info within the conversation' may cause passwords to be retained in chat context unless explicitly masked/managed.
Persistence & Privilege: notealways:false and no system-wide config changes — good. But the SKILL.md's recommendation to persist connection info in conversation means credential data may persist in chat logs/memory. This is a platform/configuration-level persistence risk rather than a skill-install privilege escalation.