Back to skill
Skillv1.0.0
ClawScan security
openclaw ggsql · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 8:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, templates, and runtime instructions match its stated purpose (generating charts with ggsql) and do not request unrelated credentials or install arbitrary code; main caution is that the recommended WASM playground involves uploading data to ggsql.org.
- Guidance
- This skill appears coherent and implements ggsql chart generation as described. Before installing or using it: 1) Do not upload sensitive or confidential data to the ggsql.org WASM playground—prefer installing and using the ggsql-cli locally (the README and SKILL.md show how). 2) If you plan to run the provided script, inspect it first (it only calls ggsql-cli if present and otherwise prints the SQL and a link). 3) If you need local execution, verify the official ggsql-cli source and installation steps (cargo install ggsql-cli) and ensure you trust the ggsql.org site before uploading data. 4) The SKILL.md contains a commented example curl to a render API—this is not active, but be cautious if future versions enable remote rendering by default.
Review Dimensions
- Purpose & Capability
- okName/description, templates (scatter/line/bar/etc.), README, and the small runner script all implement SQL-to-ggsql chart generation as advertised. The SKILL.md metadata notes a 'web-access' helper, which aligns with using the ggsql WASM playground. No unrelated binaries, env vars, or paths are requested.
- Instruction Scope
- noteRuntime instructions are scoped to generating ggsql SQL from input specs and running it via either a local ggsql-cli or the ggsql.org WASM playground. That implies (normal) uploading of user data to ggsql.org when using the playground. The included runner script does not exfiltrate data automatically (it prints the SQL and points to the playground); there is a commented-out curl example for a potential API call, which is not active. Recommend users avoid sending sensitive data to the web playground or enable a local CLI.
- Install Mechanism
- okNo install spec is provided (instruction-only skill) and included code is minimal (templates and a small shell script). Nothing downloads or extracts external archives, and no installer URLs are provided.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The behavior described does not require additional secrets; this is proportionate to the stated functionality.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent presence or modify other skills/configs. Autonomous invocation is allowed by platform defaults but is not combined with broad credentials or other risky behaviors.