Easycode Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Java code-generation purpose, but it handles database passwords and may persist them in a local state file without clear protected storage.
Install only if you are comfortable giving it database connection details and letting it write generated Java files into your project. Use a read-only database account, review the pre-write file list, do not enable unknown formatter commands, and check or remove `.easycode-skill/state.json` to ensure no password was stored.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can connect to the specified database and read schema, table, column, and comment metadata.
The skill uses a database password to connect and read table metadata. This is expected for code generation, but it is still sensitive account access.
String pass = req(a, "pass"); ... DriverManager.getConnection(url, user, pass)
Use a least-privilege, read-only database account and avoid production credentials unless necessary.
A database password or connection details could remain on disk and be exposed to anyone or anything that can read the project directory.
The visible code writes state to a local JSON file. SKILL.md also says interactive mode persists `pass`, so database passwords may be retained locally unless other omitted code encrypts or removes them.
STATE_DIR = Path(".easycode-skill") ... STATE_FILE = STATE_DIR / "state.json" ... json.dump(state, f, ensure_ascii=False, indent=2)Before using interactive mode, verify whether passwords are scrubbed or stored in a real secret manager; otherwise avoid saving passwords and delete `.easycode-skill/state.json` if sensitive data is present.
A formatter command can modify the project or run arbitrary local build actions under the user's account.
The skill can run user-specified local commands after generating files. That is useful for formatting, but it is a broad execution capability if populated with unsafe commands.
"project_format_command": { ... "description": "Optional formatter command(s) executed in project_root after generation, e.g. './gradlew spotlessApply'" }Only enable formatter execution for commands you recognize, and review the generation plan before allowing file writes or formatting.
A compromised or untrusted JDBC driver jar could run code when the Java bridge loads it.
The skill locates JDBC driver jars from local skill and Maven repository paths. Loading local jars is expected for JDBC metadata, but users should trust those jars.
"patterns": ["{skill_root}/drivers/mysql/*.jar", "{home}/.m2/repository/com/mysql/mysql-connector-j/*/mysql-connector-j-*.jar", ...]Use official JDBC drivers from trusted repositories and avoid passing unknown `driver_jar` paths.