Back to skill
Skillv1.0.0
ClawScan security
Lite Sqlite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 8:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its description (a lightweight local SQLite wrapper/CLI); it requires no extra credentials or installs, but it exposes powerful file I/O and arbitrary-SQL execution that you should use only with trusted inputs and proper filesystem isolation.
- Guidance
- This skill appears to do what it claims (a local SQLite wrapper and CLI). Before installing: 1) Only use it with trusted inputs—its execute()/query() and CLI accept arbitrary SQL and unsanitized table/column names (risk of SQL injection or destructive SQL if inputs are attacker-controlled). 2) Be cautious about backup/output paths: the code will create directories and write files and could overwrite sensitive files if given paths you don't expect. 3) Run the skill with limited filesystem permissions (or in a sandbox/container) if possible, and avoid granting it agent-level privileges that let untrusted prompts trigger DB actions. If you need stricter safety, request changes: sanitize identifiers, avoid executing raw SQL from untrusted sources, and add path whitelisting for backups.
Review Dimensions
- Purpose & Capability
- okName/description match the included code: a lightweight SQLite wrapper and CLI. No unrelated environment variables, binaries, or install steps are requested. The files provide the DB functionality described (table management, queries, backup, pooling).
- Instruction Scope
- noteSKILL.md and the code focus on local DB operations. However, the API/CLI intentionally accepts arbitrary SQL (execute/query) and constructs SQL identifiers (table/column names) via string interpolation; the CLI can read JSON files and write backups to arbitrary paths. These behaviors are expected for a DB tool but increase risk if the skill is fed untrusted input or run with broad filesystem access.
- Install Mechanism
- okNo install spec or remote downloads; this is instruction+source files only. Nothing is pulled from external URLs or installed automatically.
- Credentials
- okNo environment variables, credentials, or external service tokens are requested. The code does not rely on unrelated secrets or configuration.
- Persistence & Privilege
- noteSkill does not request always:true and does not modify other skill configs. It performs local filesystem writes (databases, backups). Because autonomous invocation is allowed by default, an agent could run SQL or write files with this skill — consider limiting who/what can invoke it or run it in a restricted environment.