employee-skills-importer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill has a clear employee-skills import purpose, but it generates database-changing SQL from employee data and auto-matches employee names without enough safety controls.
Use this only if you intend Claude to process employee CSV data and help prepare Supabase import SQL. Before running any generated script, verify all fuzzy name corrections, inspect the SQL for quoting/escaping issues, run it in a transaction or test database first, and keep a backup.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or malicious CSV value could break the SQL or cause unintended database actions when the generated script is executed.
The skill directs the agent to place parsed CSV/category/employee values directly into SQL string literals. The artifacts do not show a requirement to escape quotes or otherwise safely encode user-controlled values before the user runs the SQL.
Generate idempotent INSERT for missing categories: `INSERT INTO skill_categories (name) VALUES ('Category1')` ... `SELECT id FROM employees WHERE TRIM(first_name) = 'John' AND TRIM(last_name) = 'Doe'`Add explicit SQL-literal escaping or use a staging table/parameterized import flow. Review generated SQL before running it, run it in a transaction, and keep a backup.
A wrong fuzzy match could assign skills or experience years to the wrong employee across many rows.
Automatic fuzzy matching can map CSV rows to the wrong employee, and the generated SQL can then persistently update employee skill records. The artifacts do not require human approval of fuzzy matches before generating the update script.
**CRITICAL: Automatically correct employee name spellings** - Use fuzzy matching to find and correct minor spelling differences ... `ON CONFLICT (employee_id, skill_id) DO UPDATE SET years_of_experience = EXCLUDED.years_of_experience`
Require a reviewed match report before SQL generation, set strict matching thresholds, and make the user approve every non-exact employee match.
Using this skill may expose employee names, IDs, and skill data to the agent and requires database privileges.
The skill is intended to access a specific Supabase project and employee tables, which is sensitive but aligned with the stated import workflow.
**Checks your database** - Connects to your SkillsSystem Supabase project ... **Project ID**: ypibfhbklinkvybgotef
Use least-privilege database access, confirm the project is yours, and avoid sharing production credentials unless necessary.