Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MySQL Skill - 对话式数据库管理
v1.0.0MySQL 数据库管理技能。通过自然语言查询、管理 MySQL 数据库,支持 SELECT/INSERT/UPDATE/DELETE、表管理、备份恢复等操作。当用户提到 MySQL、数据库查询、建表、数据备份时使用此技能。
⭐ 0· 287·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and SKILL.md all describe MySQL management and the instructions and examples are coherent with that purpose. However, the registry metadata at the top states 'Required binaries: none' while the included package.json declares runtime requirements for the mysql and mysqldump clients and provides install commands — this mismatch is a packaging/metadata inconsistency that should be resolved.
Instruction Scope
SKILL.md stays within the stated purpose: it describes installing a MySQL client, configuring connection via ~/.my.cnf or environment variables, generating SQL, running mysql/mysqldump for backup/restore, and gives troubleshooting and safety advice. It does not instruct reading unrelated files or sending data to external endpoints.
Install Mechanism
There is no aggressive install (no remote arbitrary downloads). package.json includes an 'openclaw.install' section that recommends installing the MySQL client via apt/brew — a low-risk, standard system package install. But the registry summary said 'No install spec' while package.json includes install instructions; this inconsistency should be resolved.
Credentials
SKILL.md suggests using MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD, MYSQL_DATABASE or a ~/.my.cnf file — these are exactly the credentials needed for MySQL access and are proportionate to the skill's function. Note: storing plaintext passwords in ~/.my.cnf or environment vars is convenient but has security implications; the SKILL.md itself notes using env vars and least-privilege accounts, which is appropriate.
Persistence & Privilege
Skill is not always-enabled and does not request elevated persistent privileges. It suggests creating a per-user ~/.my.cnf (a normal, limited-scope config file). It does not attempt to modify other skills or system-wide settings beyond typical client installation guidance.
What to consider before installing
This skill is generally coherent with its stated purpose (generating and running MySQL commands), but check a few things before installing: 1) Resolve the packaging/metadata mismatch — the registry summary claims no required binaries while package.json lists mysql/mysqldump and provides install commands; confirm you are comfortable with the client installation. 2) Never put sensitive production credentials into tools without review — prefer a least-privilege DB user, avoid using a root/admin account, and protect ~/.my.cnf (file permissions) if you create it. 3) Understand that the agent can generate and run SQL: require explicit confirmation for destructive write operations or use read-only credentials for routine queries. 4) Verify the source (package.json lists a GitHub repo and homepage); if the origin is unknown/untrusted, inspect the repository or avoid installing. If you need higher assurance, ask the maintainer for clarification or request a signed/official release before use.Like a lobster shell, security has layers — review code before you run it.
latestvk976y5g34a6jjem7nx583dzt2x83fmmx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.