ClickHouse
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clickhouse Version: 1.0.1 The skill is classified as suspicious due to a critical security vulnerability related to plain-text password storage. The `SKILL.md` explicitly warns that "If you provide database passwords, they are stored in plain text in ~/clickhouse/". While `memory-template.md` advises against storing passwords directly, the skill's design allows for this insecure practice, making it a significant risk for credential exposure. There is no evidence of intentional malicious behavior such as data exfiltration to external endpoints or unauthorized remote control; the prompt injection attempts are for guiding agent behavior rather than subversion.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or premature SQL command could change schemas, remove columns, trigger expensive merges, or affect production database behavior.
The skill documents schema migration and optimization commands that can modify or remove database data. This is expected for ClickHouse administration, but the impact can be significant.
ALTER TABLE events DROP COLUMN old_field; ... OPTIMIZE TABLE events FINAL;
Review and explicitly approve any INSERT, ALTER, DROP, KILL, OPTIMIZE, TTL, or migration command before letting the agent run it against a real database.
If real credentials are pasted into prompts, shell commands, URLs, or saved queries, they may be retained in logs, histories, or local memory.
The documentation includes examples using ClickHouse passwords and cloud access keys. These are normal for authenticated database and S3 access, but credentials in command lines or SQL can be exposed through history or logs.
curl 'http://localhost:8123/?user=default&password=xxx' ... s3('https://bucket.s3.amazonaws.com/data/*.parquet', 'AWS_KEY', 'AWS_SECRET', 'Parquet')Use secure credential handling where possible, avoid placing secrets directly in prompts or URLs, and prefer scoped/temporary credentials for database and S3 access.
Connection profiles, schema notes, and query patterns may persist across future sessions and influence later recommendations.
The skill intentionally stores persistent local context about the user's ClickHouse environment. This is useful for optimization help but may include sensitive infrastructure and schema details.
Save to ~/clickhouse/memory.md: - Host, port, database - Auth method (if any) - Whether it's a cluster
Do not store passwords or secrets in ~/clickhouse/memory.md, review the file periodically, and delete it if you do not want the agent to retain ClickHouse context.