Db Explorer
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: db-explorer-tool Version: 2.0.0 The db-explorer skill (SKILL.md) provides an AI agent with comprehensive instructions to interact with various databases using CLI tools like psql, mysql, and mongosh. Although it includes explicit safety rules such as read-only defaults, query limits, and transaction wrapping, the skill facilitates high-risk behaviors including shell command execution, database credential handling, and local file system writes (e.g., to /tmp/export.csv). These capabilities are consistent with the tool's stated purpose but present a broad attack surface for potential misuse, justifying a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user provides privileged credentials, the agent could query, export, or, with confirmation, modify important database data.
The skill requires database credentials or connection details. This is expected for a database explorer, but those credentials may grant access to sensitive or production data.
Ask the user for: - Database type (postgres/mysql/sqlite/mongo/redis) - Connection string OR host/port/database/user/password
Use read-only or least-privilege credentials whenever possible, avoid production admin accounts, and do not share passwords beyond the specific database task.
A confirmed write or destructive query could permanently change or remove database records.
The skill contemplates write, delete, and drop operations against databases. It does include an explicit confirmation requirement, making this purpose-aligned but still high-impact.
Never run INSERT/UPDATE/DELETE/DROP without explicit user confirmation
Review every write query before approving it, prefer transactions and rollback previews, and keep backups or recovery plans for important databases.
The agent could read or export more data than intended, or run a Redis command that affects performance on a large or production instance.
Some example commands are broad: exporting SELECT * can copy entire tables, and Redis KEYS "*" can be expensive on large Redis instances.
psql "$CONN" -c "\copy (SELECT * FROM table_name) TO '/tmp/export.csv' WITH CSV HEADER" ... redis-cli -h host -p 6379 -a password KEYS "*"
Add WHERE clauses and LIMITs for exports, choose safe output paths, and use Redis SCAN instead of KEYS "*" on production-sized databases.
Installing external tools changes the local environment and depends on the trustworthiness of the package source.
The skill relies on external database command-line clients installed by the user. This is normal for the purpose, and there is no automatic install script in the provided artifacts.
CLI Tool | Install (macOS) | Install (Linux) ... psql ... brew install postgresql ... apt install postgresql-client
Install database clients only from trusted package managers or official vendor documentation, and verify what will be installed.