App Order Prod Key Stats
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or accidental input could change the intended query, broaden the data returned, or attempt SQL injection against the order database.
User-controlled keyword and time values are inserted into SQL strings without parameter binding or strict validation, then executed against the database.
conditions = [f"(order_title LIKE '%{k}%' OR order_desc LIKE '%{k}%')" for k in keywords] ... create_time >= '{start_time}' AND create_time < '{end_time}' ... df = pd.read_sql(sql, conn)Use parameterized queries, strict date validation, an allowlist for business types, escaping for LIKE patterns, and query limits before executing against production data.
Users may not realize the skill will use local database credentials to access production order data when generating reports.
The skill uses a database password environment variable and defaults to a specific remote database host/user, while the supplied registry metadata says there are no required env vars or primary credentials.
'host': os.getenv('JIUSHI_DB_HOST', 'rm-uf69co304tkv5htyd.mysql.rds.aliyuncs.com'), ... 'user': os.getenv('JIUSHI_DB_USER', 'juss_dw_ro'), 'password': os.getenv('JIUSHI_DB_PASSWORD')Declare JIUSHI_DB_PASSWORD and related database configuration in metadata, document exactly what data is queried, and ensure the database account is narrowly scoped to read-only access for the intended table.