Museum Data Manager
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This looks like a real museum database tool, but it gives the agent unrestricted SQL access and broad database credentials without enough safeguards.
Install only if you are comfortable giving an agent access to this MySQL database. Use a limited, non-root database account, review every custom SQL query before it runs, avoid granting ALL privileges, verify the mycli binary, and consider patching the tool to use parameterized queries and safer credential handling.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs the wrong SQL, it could modify, delete, or expose museum database records.
The custom query command sends the agent-supplied SQL directly to MySQL with no read-only restriction, allowlist, or confirmation step.
result = run_sql(args.sql)
Make the default query mode read-only, require explicit user approval for write/delete/schema statements, and provide safer scoped commands for updates.
A crafted museum name, status, or location value could change the intended database query and potentially expose or alter data.
User-controlled CLI arguments are interpolated directly into SQL strings, creating SQL-injection risk if untrusted text is passed as a filter or lookup value.
where_clauses.append(f"location LIKE '%{args.location}%'")Use parameterized SQL or strict validation/escaping for all structured command arguments.
Using an over-privileged account could let accidental or malicious prompts cause permanent database changes.
The documentation recommends write/delete or full database privileges. Combined with unrestricted SQL execution, this grants the agent high-impact authority over the database.
Ensure your MySQL user has: SELECT, INSERT, UPDATE, DELETE on the database - Or full privileges: `GRANT ALL ON museumcheck.* TO 'user'@'%';`
Use a least-privilege MySQL account, preferably read-only unless a task explicitly requires writes, and avoid granting ALL privileges to this skill.
Other local users or monitoring tools might be able to see the database password while the command is running.
The MySQL password is passed to the mycli subprocess as a command-line argument, which can expose it locally through process inspection on some systems.
'-p', DB_CONFIG['password'],
Avoid passing passwords on the command line; use a secure MySQL client configuration file, prompt-based authentication, or another credential mechanism with appropriate file permissions.
The skill may fail or may use whichever mycli binary is found on the system PATH, so users need to trust that local executable.
The code depends on an external mycli executable, while the supplied registry requirements say no binaries are required.
paths = ['mycli', f'{home}/Library/Python/3.11/bin/mycli', f'{home}/.local/bin/mycli', '/usr/local/bin/mycli', '/usr/bin/mycli']Declare mycli as a required dependency and install or verify it from a trusted source before use.