v1.0.0

database_skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:25 PM.

Analysis

This appears to be a legitimate database connector, but it needs review because it can run database-changing SQL and stores connection metadata.

GuidanceInstall only if you want the agent to access your databases. Use read-only or least-privilege database accounts, avoid root/admin credentials, carefully review any UPDATE/DELETE or batch SQL before execution, pin the Python dependencies, and remember that connection metadata is saved until removed.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

| `--update <sql> [params...]` | UPDATE/INSERT/DELETE | ... | `--batch <file>` | Execute SQL file |

The skill explicitly gives the agent database mutation and batch SQL execution capability; the artifacts do not show a confirmation gate, read-only default, or privilege boundary for destructive SQL.

User impactIf used with a powerful database account, the agent could change or delete production or business data when running user-supplied SQL or a SQL file.

RecommendationUse a least-privilege or read-only database account by default, require explicit user approval for UPDATE/DELETE/batch operations, and prefer transactions with rollback plans for changes.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

references/query-execution.md

`QueryExecutor` provides four execution modes, all supporting **parameterized bindings** to prevent SQL injection.

This broad safety claim conflicts with the included batch execution documentation in scripts/query_executor.py, which states that batch statements are executed without parameterized binding; users or agents may over-trust batch mode.

User impactA user may assume every SQL execution path is parameterized and safe, then run an unsafe batch file containing untrusted or destructive SQL.

RecommendationCorrect the documentation to clearly state that batch mode is raw SQL only, and warn users to run batch files only after reviewing them.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

`pip install pymysql psycopg2-binary oracledb pymssql pyyaml`

The skill relies on manually installed, unpinned Python packages and has no install spec; this is normal for a Python database connector but leaves dependency version and source control to the user.

User impactInstalling dependencies without pinning may pull newer or unexpected package versions.

RecommendationInstall dependencies from trusted package indexes, pin versions in a controlled environment, and review package provenance before use.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

metadata

Required env vars: none; Env var declarations: none; Primary credential: none

The registry metadata does not declare credentials even though SKILL.md examples require database usernames and passwords such as `--user "root" --password "${DB_PASS}"`; this is expected for a database skill but should be explicit.

User impactUsers may not realize before installation that the skill will need database credentials, possibly with broad access.

RecommendationDeclare database credential requirements in metadata and advise users to provide least-privilege accounts instead of root or admin credentials.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/connections_store.py

_STORE_FILE = os.path.join(tempfile.gettempdir(), ".database-skill-connections.json")

The skill stores reusable connection records in the temp directory, including URL, username, driver, label, and optional password environment-variable name; this is disclosed and purpose-aligned, but it persists sensitive connection metadata.

User impactDatabase hostnames, usernames, and environment-variable names may remain on disk and be reused in later sessions.

RecommendationAvoid putting secrets in database URLs, review the saved connection file if needed, and use `--forget` to remove records that should not persist.