Middleware Query
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for read-only database querying, but it intentionally handles database credentials and data, and may optionally send query prompts to OpenAI.
This skill appears benign and purpose-aligned. Before installing or using it, configure only least-privileged read-only database accounts, keep connection files private, review generated query plans for broad reads, and avoid enabling the OpenAI planner if database-related prompt text must stay local.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with broad or production credentials, the agent can read sensitive database records through this skill.
The skill intentionally uses database usernames and passwords to access MySQL, Redis, and MongoDB. This is expected for the stated purpose, but it grants read access to whatever those accounts can see.
Require all connection parameters explicitly for each datasource: `host`, `port`, `username`, `password` ... Store connection profiles in `scripts/connections.json`
Use dedicated read-only, least-privileged database accounts; avoid production credentials unless necessary; keep `connections.json` private.
Database-related query text may leave the local environment if the optional OpenAI planner is enabled.
When `OPENAI_API_KEY` is present, the LLM planner sends the natural-language request and default profile names to OpenAI. The code does not send database credentials or query results here, but the prompt itself may contain sensitive schema, key, or business context.
client = OpenAI(api_key=api_key) ... {"role": "user", "content": prompt}Do not set `OPENAI_API_KEY` for highly sensitive local-only use, or avoid putting secrets and sensitive record values in natural-language prompts.
A generated or user-provided read query could retrieve more database data than intended if the configured account has broad access.
The SQL executor runs user/planner-provided SQL after a read-only regex and denylist check. This is central to the skill and not hidden, but broad SELECT queries can still expose large amounts of accessible data.
validate_sql(args.sql) ... cur.execute(sql)
Review generated plans for sensitive queries, keep database permissions narrow, and prefer explicit limits and scoped tables/collections.
Query-plan details may remain on disk after the command finishes.
The one-command workflow writes the generated query plan to a temporary file with deletion disabled. The plan may include profile names, table/collection/key names, filters, or SQL text.
tempfile.NamedTemporaryFile(prefix="mw-plan-", suffix=".json", delete=False)
Clean up temporary `mw-plan-*.json` files when queries contain sensitive names or filters, and avoid saving plans unless needed.