Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
lin
v1.0.0extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis.
⭐ 0· 44·0 current·0 all-time
by番茄番茄番茄范@lin-shiwu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (save URL query parameters to MySQL) matches the included script. However the SKILL metadata claims no required environment variables or binaries, while the script relies on DB_HOST/DB_USER/DB_PASSWORD/DB_NAME environment variables and the Python mysql.connector module. Those omissions are incoherent with the claimed requirements.
Instruction Scope
SKILL.md simply instructs running the Python script with a URL. The script will read DB connection environment variables (even though SKILL.md/metadata don't declare them) and create tables/columns derived directly from URL parameter names. The instructions do not warn about or constrain what parameter names may be used, nor do they instruct any sanitization or safe DB target (e.g., not to run against production).
Install Mechanism
There is no install spec (instruction-only), which reduces install-supply risk. However the script depends on Python and the mysql.connector library (mysql-connector-python) which are not declared. That omission can cause execution failures and hides the true runtime surface.
Credentials
The script expects database credentials via environment variables (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) and provides insecure defaults (root/root on localhost/test_db). Those credentials are not declared in requires.env or documentation. Requesting DB credentials is proportionate to the task, but failing to declare them and using privileged defaults is concerning.
Persistence & Privilege
The skill does not request persistent privileges (always:false), does not modify other skills, and only performs DB writes as its intended action. No platform-level privilege escalation is apparent.
What to consider before installing
This skill contains legitimate functionality but has important problems you should address before installing or running it:
- Do not run this against production or sensitive databases yet. The code will create tables and add columns based on URL parameter names.
- The script uses environment variables DB_HOST/DB_USER/DB_PASSWORD/DB_NAME but the skill metadata and README do not declare them. Ensure you supply credentials only for a safe, isolated test database.
- Major security issue: column names are built directly from URL parameter names and interpolated into CREATE TABLE and INSERT SQL without quoting or validation. An attacker-controlled URL could cause SQL syntax errors or SQL injection via crafted identifier names. Fix by validating/whitelisting parameter names, quoting identifiers safely (e.g., backticks after strict validation), or mapping parameter names to safe column names.
- Add explicit dependency documentation: require Python and mysql-connector-python (or equivalent), and include instructions for installing them.
- Consider changing design: instead of dynamic columns, store parameters as key/value rows or a JSON column to avoid dynamic identifier creation.
If you cannot review and fix the code yourself, treat the skill as unsafe for use with any database that contains sensitive data or production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk972nwzcpm764hkjhwqtn7bfy583kf6a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.