Skillv1.0.0

ClawScan security

DBA多AI协作系统 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 2:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions tell the agent to automatically read and write local 'memory/' files and schedule automated DB workflows (cron) — operations that can persist sensitive DB environment info — but the skill declares no required config paths, no safeguards, and gives no implementation details, which is inconsistent and risky.
Guidance: This skill's runtime instructions tell the agent to read and write local memory files (memory/env.json, history.json, preferences.json) and to run scheduled workflows. Those files can easily contain sensitive DB connection information. Before installing or using this skill: (1) Confirm with the author how memory/ is stored, protected, and purged (encryption, ACLs, retention, opt-out). (2) Do not supply production credentials or secrets; use redacted or read-only test accounts. (3) If you must use it, run the skill in an isolated environment and inspect the memory/ and references/ directories to verify what gets written. (4) Ask how scheduled cron jobs are implemented and whether autonomous execution can be disabled. If the author provides explicit, auditable storage safeguards and an opt-out for automatic memory, this assessment could move toward benign; without that, treat the skill as high-risk for secret leakage.

Review Dimensions

Purpose & Capability: noteThe stated purpose (DBA multi-AI coordination) matches the high-level instructions (expert routing, reports, cross-DB workflows). However, the skill expects local directories (references/, prompts/, memory/) to exist and to be read/written at runtime but does not declare any required config paths or explain how those artifacts are provisioned. This omission is a design inconsistency.
Instruction Scope: concernSKILL.md explicitly instructs the agent to automatically read memory/ on session start, update env.json/history.json/preferences.json when users mention environments or complete tasks, and to load prompts/ and references/ files as authoritative knowledge. Those instructions direct persistent local file I/O for potentially sensitive data (DB envs may contain connection strings/credentials). The doc also describes scheduled cron workflows without explaining how cron jobs are created or run by the agent. The instructions therefore go beyond simple conversational guidance and introduce data retention and automation behaviors that are not scoped or safeguarded.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers supply-chain risk, but also means the SKILL.md itself is the runtime behavior and must be trusted — there is no shipped code to inspect.
Credentials: concernThe skill declares no required environment variables or credentials, but its automatic memory mechanism explicitly stores 'environment information' provided by the user (e.g., '用户首次提供数据库环境时自动保存'). This could include sensitive DB credentials or connection strings. There is no mention of encryption, access control, redaction, retention policy, or an opt-out. Asking users to supply production DB environment details while automatically persisting them to plain JSON files is disproportionate and risky.
Persistence & Privilege: concernThe skill requests persistent behavior via automatic memory files and scheduled cron workflows. Although always:false (so it isn't force-enabled globally), the skill's autonomous invocation plus automatic memory and scheduled tasks increases attack surface if credentials are stored. The SKILL.md provides no mechanism for secure storage, explicit consent, or how scheduled tasks are implemented — an ambiguity that raises privilege-and-persistence concerns.