Skillv0.2.0

ClawScan security

SQL Guard Copilot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 3:19 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is generally coherent for an SQL helper, but it asks the user to provide database credentials (SQL_DSN) and an LLM API key and will send schema/queries to an external model by default — these data-exfil/privacy risks and a mismatch between declared metadata and actual runtime requirements warrant caution.
Guidance: This skill appears to be a legitimate SQL helper, but review these points before installing or using it: - Expect to supply SQL_DSN (DB credentials) and, for the natural-language 'ask' feature, an OPENAI_API_KEY and OPENAI_BASE_URL. The registry metadata did not declare these — verify you are comfortable passing credentials via environment variables or CLI. - The 'ask' command sends schema and prompts to an external LLM endpoint (defaults to api.openai.com). That will expose table/column names and possibly query text/results to the remote model. If your data or schema are sensitive, do not use 'ask' against a remote LLM; consider using --dry-run, a local/private LLM endpoint, or disabling 'ask'. - Use a least-privilege, read-only DB user in SQL_DSN. Test against a non-sensitive sample DB first to confirm the read-only guard blocks writes and DDL as promised. - If you must allow LLM access, set OPENAI_BASE_URL to a trusted host, restrict --max-tables/--max-columns, and review the prompt with --show-prompt before execution. - Enable audit logging to a secure location (SQL_EASY_AUDIT_LOG or --audit-log) and inspect logs for any unexpected data capture. - Review/inspect scripts/sql_easy.py yourself (or have a trusted reviewer do so) before running in production, and pin dependency versions when installing runtime libraries.

Review Dimensions

Purpose & Capability: noteThe name/description (SQL helper for MySQL/Postgres/SQLite) matches the included code and commands. However, the registry metadata declares no required environment variables or primary credential while the runtime instructions and code require SQL_DSN for DB access and optionally OPENAI_API_KEY / OPENAI_BASE_URL for natural-language 'ask' mode. That metadata omission reduces transparency.
Instruction Scope: concernSKILL.md and the CLI prominently instruct setting SQL_DSN and (for 'ask') OPENAI_API_KEY and base URL. The 'ask' flow builds a schema prompt (tables/columns) and sends it to an LLM endpoint (default https://api.openai.com or any user-supplied base URL). That means database schema — and potentially query text or results depending on options — will be transmitted off-host. The skill otherwise enforces read-only guards and blocks DDL/DML tokens, which is appropriate, but the external transmission of schema/data is a significant privacy/exfiltration risk and should be explicitly considered before use.
Install Mechanism: okNo install spec (instruction-only with a single Python script). Dependencies (pymysql, psycopg/psycopg2) are imported at runtime and only required for corresponding DB drivers; the script raises clear errors if a dependency is missing. No remote arbitrary downloads are used in the provided files.
Credentials: concernThe skill requires sensitive inputs at runtime: SQL_DSN (which contains DB host, username, and password in the examples) and optionally OPENAI_API_KEY/OPENAI_BASE_URL. The registry did not declare these env vars. Asking for an LLM API key and sending schema/data to an LLM is proportional for the 'ask' capability but increases risk: use of an unrestricted base URL allows pointing to arbitrary endpoints. Audit logging to a JSONL file is available and should be configured carefully.
Persistence & Privilege: okalways is false and the skill does not request persistent platform-wide privileges. It does write optional local audit logs (user-specified path) but does not modify other skills or system-wide config. Agent autonomous invocation is allowed by default (normal), but combine this with the data-exfil risk when enabling autonomous runs.