lin

This script will connect to a MySQL server and create/modify a table using column names derived directly from URL query parameter names. Before installing or running it, consider the following: - Credential and dependency disclosure: The skill metadata does not declare required env vars or the mysql-connector dependency. Expect to provide DB_HOST, DB_USER, DB_PASSWORD, DB_NAME and to install the mysql-connector package and Python runtime. - Principle of least privilege: Do not run this with root or highly privileged DB accounts. Create a dedicated DB user with minimal INSERT/CREATE privileges limited to a dedicated database. - SQL identifier injection risk: Column names are interpolated directly into CREATE TABLE and INSERT statements without quoting or validation. Malicious or malformed parameter names could break SQL or be exploited. Only allow safe column names (e.g., validate against /^[A-Za-z0-9_]+$/) and/or quote identifiers properly. - Data sensitivity & exfiltration: The script will transmit any URL parameters to the configured DB. Ensure you trust the DB host (keep it local or in a trusted network) and avoid sending sensitive tokens/passwords. Treat this as a data exfiltration surface if the DB is remote. - Suggested code fixes: a) Require and document env vars in SKILL.md/metadata. b) Validate/sanitize column names to a safe whitelist and quote identifiers with backticks after validation. c) Avoid hardcoded default credentials; fail if no credentials are provided. d) Add explicit instructions about installing dependencies (pip install mysql-connector-python). e) Limit column size and handle name collisions. If you cannot review and lock down the DB and the script before use, treat this skill as risky and do not enable it on agents that can access sensitive URLs or run autonomously.