Back to skill
Skillv1.0.0
ClawScan security
SQL 查询优化助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 3:06 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only SQL optimization helper whose requested artifacts and instructions match its stated purpose; no installs, credentials, or unexpected behaviors are present.
- Guidance
- This skill appears coherent and safe to install: it is purely documentation and advice for SQL tuning and does not try to access your system or request credentials. Before using, avoid pasting production credentials, full connection strings, or highly sensitive PII into prompts; instead provide schema, anonymized sample data, or sanitized EXPLAIN output. If you want the agent to run commands on a server (logs, pt-query-digest, etc.), only allow that on a controlled environment and never share secrets in plain text.
Review Dimensions
- Purpose & Capability
- okName/description (SQL query writing, review, optimization) align with the provided content: guidance on query patterns, EXPLAIN usage, indexing, CTEs, window functions and diagnostics for PostgreSQL/MySQL/SQLite. No unrelated credentials, binaries, or external services are requested.
- Instruction Scope
- noteSKILL.md is an instruction-only guide that asks the agent to collect context (DB type, DDL, business goal, data volumes, slow-query descriptions) and to run/advise on EXPLAIN, indexing, and pagination strategies. This stays within scope, but it expects the user to supply schema, queries, or logs which may contain sensitive data — the skill itself does not include steps to connect to remote DBs or exfiltrate data.
- Install Mechanism
- okNo install spec, no code files, and no downloads — lowest risk. The included reference files are static documentation only.
- Credentials
- okNo environment variables, credentials, or config paths are requested. Examples reference standard DB tools and typical log paths, which is expected for a DBA-oriented guide.
- Persistence & Privilege
- okalways is false and the skill is user-invocable only. It does not request persistent system presence or modify other skills/config. Autonomous invocation is allowed by platform default but not combined with other concerning flags.