chat-ai
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This text-to-SQL skill is purpose-related, but it runs generated database queries through unreviewed local project code and leaves database permissions and approval safeguards unclear.
Review this skill carefully before installing. Only run it in a controlled environment with a read-only, least-privilege database account, verify the external `Winner-Ai` project code it imports, and require SQL review/approval before allowing it to execute against real business data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Invoking the skill may run whatever Python code exists at that local path, or fail or behave differently across machines.
The core runtime behavior is imported from a hardcoded local project path outside the reviewed skill package, so reviewers and users cannot verify the SQL generation/execution logic from the provided artifacts.
PROJECT_ROOT = r"D:\\javaworkspace\\Winner-Ai" sys.path.insert(0, PROJECT_ROOT) from app.services.ai_chat_orchestrator import AIChatOrchestrator
Bundle the required modules in the skill package or reference a trusted, pinned package/source; remove the hardcoded local path and declare all runtime dependencies.
An ambiguous prompt or model/tool error could run unintended SQL under whatever database privileges are configured by the external project.
The wrapper sends natural-language input into an external SQL orchestration path with feedback disabled and no visible local read-only or approval guard before execution.
runtime = orchestrator.process_query(
query=query,
...
check_cancelled=check_cancelled,
user_feedback_enabled=False,
...
db=None,
)Use a read-only database account by default, show the generated SQL before execution, require explicit approval for non-SELECT or high-cost queries, and implement cancellation/time limits.
Users cannot tell which database account, connection, or privilege level the skill will use when executing generated SQL.
The skill hardcodes a database type and fixed user identity while leaving the connection and database object unspecified; metadata also declares no credential or config contract.
orchestrator = AIChatOrchestrator(db_type="starrocks") ... connection_id=None, user_id="openclaw", user_name="OpenClaw", db=None
Declare the required database connection and credential mechanism, bind actions to a user-selected connection, and document the minimum required privileges.
Sensitive business questions or query results could appear in the skill output or influence later turns if the same memory context is reused.
The skill supports conversation memory and returns raw intermediate messages, which may include user questions, generated SQL, summaries, and database-derived outputs.
memory_id = memory_id or session_id ... memory_id=memory_id, ... "raw_messages": [clean_message_data(m) for m in collector.messages]
Use separate memory IDs for separate tasks, avoid sending unnecessary sensitive data, and document retention/sanitization behavior for intermediate messages.