ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Database Schema Differ

v1.0.0

Compare database schemas across environments, generate migration scripts, and track schema evolution.

0· 225·0 current·0 all-time
byDerick@derick001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise comparing live databases, migration generation, and support for multiple DB backends via SQLAlchemy/Alembic. The SKILL.md and README repeat that. However, the shipped implementation (scripts/main.py) only parses local .sql files and returns an explicit error for connection strings ("Database connections not implemented in this version"). The metadata lists SQLAlchemy and Alembic as Python requirements but the code does not import or use them. This is an incoherence between claimed capabilities and actual code.
Instruction Scope
Runtime instructions and examples show passing full DB connection strings (including user:pass@host) on the CLI. That is expected for a DB tool, but the code will treat non-.sql sources as unimplemented and print errors. The examples therefore mislead operators into believing live DB comparisons are supported. Also, passing credentials on the command line exposes them to local process-list inspection — the SKILL.md does not warn about that.
Install Mechanism
There is no install spec (instruction-only skill) and no downloads; this minimizes install-time risk. The README suggests installing Python packages (sqlalchemy, alembic, DB drivers) via pip, but nothing is automatically fetched or executed by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is proportionate for a tool that operates on local SQL files. However, SKILL.md/README encourage supplying DB connection strings including credentials on the CLI; that can expose secrets. The metadata lists third-party Python packages as requirements even though the included code does not use them — raising questions about why those packages are declared.
Persistence & Privilege
The skill does not request persistent privileges, does not set always:true, and has no install actions that modify system or other skills. It operates as a CLI script and will only read files explicitly provided to it.
What to consider before installing
The skill's README and SKILL.md promise live DB comparisons using SQLAlchemy/Alembic, but the bundled script only supports parsing local .sql files and explicitly returns "Database connections not implemented." That mismatch could be an unfinished/abandoned feature or misleading documentation. Before using: 1) Do not run this against production databases thinking it will produce safe migrations. 2) Inspect and test scripts/main.py on non-sensitive local SQL files to verify behavior. 3) Avoid passing connection strings containing passwords on command lines (use secure methods like environment variables or config files) — the examples show inline credentials which are visible to other local users. 4) If you need live DB support, ask the author for confirmation or a version that actually imports and uses SQLAlchemy/Alembic. 5) Consider running the tool in an isolated environment (container) and review generated migration SQL carefully before applying it.

Like a lobster shell, security has layers — review code before you run it.

latestvk974jaxz9vs7781pjv4fvbtpc982kqxp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments