sql-doc
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: sql-doc Version: 1.0.1 The skill bundle facilitates raw SQL execution via curl commands to an internal IP (192.168.5.85), which presents a significant security risk for unauthorized data access or manipulation. Additionally, the analyze_data.py script contains hardcoded sensitive information, including what appear to be Chinese citizen ID numbers and records of domestic disputes, raising privacy and data handling concerns. While no clear evidence of intentional data exfiltration to external domains was found, the combination of raw SQL capabilities and the processing of PII makes this bundle high-risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent can reach this endpoint, it could retrieve broad database contents, including sensitive tables, more easily than a scoped reporting workflow should allow.
The skill exposes a raw SQL string to a hard-coded database API. The artifacts do not define table allowlists, query validation, user confirmation, or data minimization beyond an example LIMIT.
curl -X POST --max-time 300 -H "Content-Type: application/json" ... -d '{"sql": "SELECT * FROM <表名> LIMIT 100 OFFSET 0"}' ... "http://192.168.5.85:8000/query"Use a narrowly scoped read-only API or approved query templates, require explicit user approval for table, fields, and row limits, and avoid SELECT * by default.
Running the skill may create a local document that exposes sensitive personal or law-enforcement-related information.
The script embeds apparent personal identifier numbers and sensitive dispute/police-event details, then writes the raw records into a persistent Word report without masking or retention controls.
"A小区门口发生斗殴事件421121200210236332" ... doc.add_heading('八、原始数据', level=1) ... doc.save('/root/.openclaw/workspace/分析报告.docx')Remove embedded sensitive sample data, mask identifiers by default, let users choose whether raw rows are included, and document where reports are stored and how to delete them.
A user may trust the generated Word report as analysis of their requested database query even though it may only reflect bundled static data.
SKILL.md presents a workflow of querying specified database data and then generating a report, but the script contains a fixed in-code dataset and does not read the curl response or any user-selected input.
# Data from the API data = [
Make the script accept an explicit input file or API response, label any sample data clearly, and fail safely when no user-selected query result is provided.
The skill may fail or, if another file exists at that path, run code the user did not intend to trust for this package.
The registry identifies the evaluated skill as sql-doc, but the skill instructions name db-analyst and run an absolute helper path under db-analyst. That mismatch can cause the agent to execute a different or missing file outside the reviewed package path.
## 技能名称 db-analyst ... python3 /root/.openclaw/workspace/skills/db-analyst/analyze_data.py
Align the registry slug, displayed skill name, and helper path; use packaged relative paths; and declare runtime dependencies such as python-docx in an install spec.
Access appears to depend on network reachability rather than a clearly scoped identity or permission boundary, which can expose internal data if the agent runs in a privileged network environment.
The skill uses a hard-coded private database API endpoint, while the supplied metadata declares no primary credential, required environment variable, or config path to define who is authorized and what scope is allowed.
"http://192.168.5.85:8000/query"
Require a documented, least-privilege credential or service account, define allowed databases/tables, and ensure authorization is enforced by the API.