Studio Agent Dist
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real ClickZetta Studio integration, but it needs review because it runs user text through a shell command and defaults some remote action decisions to auto-approve while using account credentials.
Install only if you trust this skill with your ClickZetta account. Use a least-privileged JDBC credential, be cautious with SQL text containing shell metacharacters until the command invocation is made shell-safe, and consider disabling auto-approval for mutating ClickZetta actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted request or SQL text could be interpreted by the local shell before the Node script receives it, potentially running unintended local commands or changing the request.
The mandatory runtime path places raw user input into a bash command argument and says to run it immediately. Double quotes do not safely neutralize embedded quotes, backticks, or $() shell substitutions.
node {baseDir}/scripts/cz-agent-oneshot.mjs --input "<user_input>"Invoke the script without a shell, such as with an argument array/execFile, or pass user input through stdin or a temporary JSON file. If a shell must be used, explicitly shell-escape the input.
A ClickZetta operation that would normally require a tool/action approval may be approved automatically, increasing the chance of unintended job or SQL execution.
The one-shot runner defaults the interrupt/decision mode to auto_approve. Because this skill handles SQL, job creation, and job execution workflows, this can reduce user confirmation for high-impact remote actions.
if (!asTrimmedString(env.CZ_INTERRUPT_DECISION_MODE)) {
env.CZ_INTERRUPT_DECISION_MODE = "auto_approve";
}Default to manual approval or auto-reject for mutating actions, and require clear user confirmation before creating/running jobs, executing SQL, or changing workspace-affecting state.
Anyone who can invoke the skill with that configured secret can act through the connected ClickZetta account within the permissions of those credentials.
The skill requires a JDBC URL containing username and password material and uses it to access ClickZetta. This is expected for the stated integration, but it is account-level credential access.
Paste one JDBC URL into the secret field for `CZ_STUDIO_JDBC_URL` ... `?username=<username>&password=<password>`
Use least-privileged ClickZetta credentials, avoid shared administrator accounts, and rotate the credential if the skill or host environment is no longer trusted.
Local cache files may contain session or workspace information that should be protected from other local users or processes.
The skill discloses that it caches workspace data and an authentication token locally. The TTL/expiry behavior is bounded, but the cached token is sensitive session material.
workspace 列表和 token 分开缓存:token 跟随登录过期时间,workspace 列表默认 5 分钟 TTL
Store cache files in a user-private directory with restrictive permissions, provide a clear cache-clearing path, and avoid sharing machine profiles that run this skill.