v1.0.0

MySQL Natural Language Query Assistant

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:30 AM.

Analysis

This appears to be a legitimate MySQL read-only query helper, but it under-declares the database credentials and live database access it requires.

GuidanceBefore installing, make sure you are comfortable providing DB_URL, DB_USER, and DB_PASSWORD for a live MySQL database. Use a read-only, least-privilege account, preferably against a replica; review generated SQL; and pin or carefully review any Python MySQL driver you install.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

scripts/run_read_query.py

READ_ONLY_PREFIXES = ("select", "with", "show", "describe", "desc", "explain") ... cur.execute(sql)

The skill executes model-produced SQL against a live MySQL database, with a lexical read-only allowlist. This is aligned with the skill's purpose, but users should notice that database reads are real actions using the supplied account's access.

User impactThe assistant can query any data the configured database account can read, so overly broad database credentials could expose more data than intended.

RecommendationUse a least-privilege read-only database user, prefer a read replica when possible, and review the final SQL before relying on results.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

references/connection-and-safety.md

pip install mysql-connector-python ... pip install pymysql

The skill depends on external Python database drivers and documents unpinned pip install commands, while no install spec is provided. The packages are purpose-aligned, but version/provenance is not fixed.

User impactInstalling unpinned dependencies can produce different code over time and may be harder to audit or reproduce.

RecommendationPin dependency versions in an install spec or documented lockfile, and install packages only from trusted package indexes.

Cascading Failures

SeverityMediumConfidenceMediumStatusNote

scripts/run_read_query.py

cur.execute(sql) ... rows = cur.fetchmany(limit) ... max(1, min(args.limit, 100))

The script limits returned sample rows to at most 100, but it still executes the full SQL statement against the live database and does not enforce a SQL-level LIMIT or query timeout.

User impactA poorly generated read query could still be expensive for the database even if only a small sample is returned.

RecommendationUse a read replica or constrained database user, add statement timeouts where possible, and prefer explicit LIMITs and narrow filters.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

metadata / scripts/run_read_query.py

Required env vars: none; Primary credential: none ... RuntimeError("DB_URL, DB_USER, and DB_PASSWORD must be set.")

The registry metadata says no credentials or environment variables are required, but the script requires MySQL connection credentials. This under-discloses the permission boundary the skill needs.

User impactA user may install the skill without realizing it needs live database credentials and will operate with the full read privileges of the provided database account.

RecommendationDeclare DB_URL, DB_USER, and DB_PASSWORD in the skill metadata, document the required privilege level, and recommend a read-only, least-privilege account.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

Prefer column comments when available. ... Infer business meaning from comments and names.

The skill intentionally uses persistent database schema metadata and column comments as context for query generation. This is appropriate for schema understanding, but comments can influence the assistant's interpretation.

User impactIncorrect or malicious column comments could steer the assistant toward wrong assumptions or unsafe query choices.

RecommendationTreat schema comments as semantic hints rather than instructions, and review generated SQL when database metadata may be stale or untrusted.