KameleonDB
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: kameleondb Version: 0.1.5 The skill provides a database tool (`kameleondb`) with powerful capabilities, including arbitrary SQL execution via the `kameleondb --json query run "SQL_QUERY_STRING"` command, as demonstrated in SKILL.md and examples/workflow.md. While these capabilities are inherent to a database tool, they present a significant vulnerability surface (e.g., SQL injection) if the AI agent constructs SQL queries from untrusted user input without proper sanitization. Additionally, the skill involves local file system access (for SQLite databases and `--from-file` imports) and network access (for PostgreSQL), which are high-risk operations if misused, even though they are legitimate for the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled broadly, the agent could change database structure or records without asking for every individual change.
The skill intentionally lets an agent create schemas, insert data, evolve structure, and optimize storage. This is purpose-aligned for a database skill, but it is still mutation authority over persistent data.
The agent owns the entire data lifecycle - from initial schema design through optimization - without human intervention.
Use a dedicated database, keep backups, and require explicit approval for destructive or production-impacting schema/data changes.
A high-privilege database URL could let the agent read or modify more data than intended.
The database URL may include credentials. This is expected for database connectivity, but the credential controls whatever database permissions that account has.
Set `KAMELEONDB_URL="postgresql://user:pass@localhost/dbname"`
Use a least-privilege database user, prefer a dedicated database for agent memory, and avoid placing credential-bearing URLs in shared memory or logs.
Installing the external package means trusting code outside the reviewed skill files.
The reviewed skill is instruction-only and relies on an external PyPI package/binary that was not included in the provided code artifacts. This is normal for a CLI integration, but provenance and version pinning matter.
pip install kameleondb[postgresql]
Install from the official source, pin an expected version, and review the package/repository before using it with sensitive or production data.
Stored records, preferences, or knowledge-base entries may be reused in future sessions, including if they are outdated, sensitive, or inaccurate.
The skill is explicitly designed as persistent memory for agents. That is coherent with its purpose, but persistent data can include sensitive information or later influence agent behavior.
Remember information across conversations ... maintain any persistent state
Define what may be stored, avoid secrets unless truly needed, review stored data periodically, and separate databases by project or trust boundary.