ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Bytehouse Load Analyzer

v1.0.0

ByteHouse集群负载分析和性能监控工具,用于分析集群负载情况、监控资源使用情况、分析查询吞吐量、识别性能瓶颈。当用户需要分析ByteHouse集群负载情况、监控资源使用情况、分析查询吞吐量、识别性能瓶颈时,使用此Skill。

0· 73·0 current·0 all-time
by@volcengine-skills
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description and SKILL.md state it analyzes ByteHouse clusters and depends on a 'bytehouse-mcp' skill — that is coherent. However, the registry metadata declares no required environment variables or primary credential even though SKILL.md and the script require BYTEHOUSE_HOST/PORT/USER/PASSWORD. The missing declaration is an incoherence: the skill will need credentials but the manifest does not declare them.
!
Instruction Scope
SKILL.md instructs the user to set ByteHouse credentials and to reuse the bytehouse-mcp skill, which is expected. The shipped script, however, copies the entire process environment (os.environ.copy()) and passes it into the MCP subprocess, which means any unrelated secrets in the agent environment could be exposed to the subprocess. The SKILL.md does not disclose that it will forward the full environment. The script also launches an external MCP server component (via stdio_client and a command invocation) which may execute arbitrary code provided by that component — again not fully documented in the manifest.
Install Mechanism
There is no formal install spec (instruction-only), so nothing is automatically written at install. But the script starts an external command at an absolute path ('/root/.local/bin/uvx') with an argument that looks like a VCS package spec pointing to GitHub (git+https://github.com/volcengine/mcp-server@main#subdirectory=...), which will cause network fetch/installation at runtime. SKILL.md earlier mentions 'uv' at /root/.local/bin/uv, while the code uses '/root/.local/bin/uvx' — that mismatch is suspicious and undocumented. Running a subprocess that can pull code from GitHub is higher-risk than pure local analysis and should be reviewed.
!
Credentials
The skill requires ByteHouse credentials in practice (BYTEHOUSE_HOST, PORT, USER, PASSWORD) but the registry metadata lists no required env vars and no primary credential. Additionally, the script passes the entire environment into the subprocess, which can expose unrelated secrets (cloud keys, tokens, etc.) to the spawned process. Requiring the ByteHouse password is proportionate to the stated task, but the lack of manifest declaration and the full-env forwarding are problematic.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. It writes output files into its own output/ directory (expected). The notable privilege is runtime: it spawns an external subprocess (absolute path) and lets that subprocess handle MCP server logic — this gives that subprocess the ability to execute arbitrary code and access the forwarded environment. That runtime capability increases blast radius if the subprocess or fetched code is untrusted.
What to consider before installing
Before installing or running this skill, consider the following: - Missing manifest declarations: The skill actually needs BYTEHOUSE_HOST, BYTEHOUSE_PORT, BYTEHOUSE_USER, and BYTEHOUSE_PASSWORD but the registry metadata does not declare them; ask the author to add these to requires.env/primaryEnv. - Environment leakage: The script copies and forwards the entire process environment to a spawned subprocess. If your agent environment contains other secrets (cloud keys, tokens, etc.), those may be exposed. Only run this in an environment without sensitive credentials or request the author whitelist only the needed BYTEHOUSE_* variables. - Subprocess and remote code fetch: The script invokes an absolute command (/root/.local/bin/uvx) and passes a git+https VCS spec pointing at GitHub. That will likely fetch and run code at runtime. Verify the referenced GitHub repository and the exact code that will be executed. The SKILL.md mentions 'uv' but the code calls 'uvx' — get clarification and ensure paths/commands are correct and trusted. - Principle of least privilege: If you must use this, run it in an isolated environment (ephemeral container or sandbox) that does not hold other secrets or host-critical access. - Ask the maintainer to: (1) update registry metadata to list required env variables and primary credential; (2) document exactly what subprocess is started and what network fetches occur; (3) avoid passing the full environment to subprocesses or explicitly whitelist environment variables; (4) fix the uv/uvx path mismatch. If you cannot obtain satisfactory answers and confirmation of the upstream code, treat this skill as risky and avoid running it on hosts that contain other credentials or sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97egdrk7gwmrtcgnpr33hhbb583mdnr
73downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@volcengine-skills
latest
Download

ByteHouse 负载分析 Skill

🔵 ByteHouse 品牌标识

「ByteHouse」—— 火山引擎云原生数据仓库,极速、稳定、安全、易用

本Skill基于ByteHouse MCP Server,提供完整的集群负载分析和性能监控能力

描述

ByteHouse集群负载分析和性能监控工具。

当以下情况时使用此 Skill: (1) 需要分析集群负载情况 (2) 需要监控资源使用情况 (3) 需要分析查询吞吐量 (4) 需要识别性能瓶颈 (5) 用户提到"负载分析"、"性能监控"、"资源使用"、"吞吐量"

前置条件

  • Python 3.8+
  • uv (已安装在 /root/.local/bin/uv)
  • ByteHouse MCP Server Skill - 本skill依赖 bytehouse-mcp skill提供的ByteHouse访问能力

依赖关系

本skill依赖 bytehouse-mcp skill,使用其提供的MCP Server访问ByteHouse。

确保 bytehouse-mcp skill已正确配置并可以正常使用。

📁 文件说明

  • SKILL.md - 本文件,技能主文档
  • load_analyzer.py - 负载分析主程序
  • README.md - 快速入门指南

配置信息

ByteHouse连接配置

本skill复用 bytehouse-mcp skill的配置。请确保已在 bytehouse-mcp skill中配置好:

export BYTEHOUSE_HOST="<ByteHouse-host>"
export BYTEHOUSE_PORT="<ByteHouse-port>"
export BYTEHOUSE_USER="<ByteHouse-user>"
export BYTEHOUSE_PASSWORD="<ByteHouse-password>"
export BYTEHOUSE_SECURE="true"
export BYTEHOUSE_VERIFY="true"

🎯 功能特性

1. 资源使用分析

  • CPU使用率监控
  • 内存使用率分析
  • 磁盘空间监控
  • 网络流量统计

2. 查询负载分析

  • QPS (每秒查询数) 统计
  • 查询并发度分析
  • 查询类型分布
  • 高峰时段识别

3. 表负载分析

  • 表访问热度排名
  • 表读写比例分析
  • 表大小增长趋势
  • 分区负载分布

4. 性能瓶颈识别

  • 资源瓶颈识别
  • 查询队列分析
  • 锁等待统计
  • 优化建议生成

🚀 快速开始

方法1: 运行负载分析

cd /root/.openclaw/workspace/skills/bytehouse-load-analyzer

# 先设置环境变量(复用bytehouse-mcp的配置)
export BYTEHOUSE_HOST="<ByteHouse-host>"
export BYTEHOUSE_PORT="<ByteHouse-port>"
export BYTEHOUSE_USER="<ByteHouse-user>"
export BYTEHOUSE_PASSWORD="<ByteHouse-password>"
export BYTEHOUSE_SECURE="true"
export BYTEHOUSE_VERIFY="true"

# 运行负载分析
uv run load_analyzer.py

分析内容包括:

  • 集群资源使用情况
  • 查询负载统计
  • 表访问热度
  • 性能瓶颈识别
  • 优化建议生成

输出文件(保存在 output/ 目录):

  1. resource_usage_{timestamp}.json - 资源使用报告
  2. query_load_{timestamp}.json - 查询负载报告
  3. table_load_{timestamp}.json - 表负载报告
  4. bottleneck_analysis_{timestamp}.json - 瓶颈分析报告

💻 负载分析维度

资源维度

  • CPU: 使用率、等待时间、上下文切换
  • 内存: 使用量、缓存、Swap使用
  • 磁盘: 使用率、IOPS、吞吐量
  • 网络: 入流量、出流量、连接数

时间维度

  • 实时: 当前负载情况
  • 最近1小时: 1小时内趋势
  • 最近24小时: 24小时内趋势
  • 最近7天: 7天内趋势
  • 历史对比: 同比环比分析

表维度

  • 访问热度: 查询次数排名
  • 读写比例: 读写操作比例
  • 大小增长: 表大小变化趋势
  • 分区分布: 分区数据分布

📊 负载报告示例

资源使用报告

{
  "analysis_time": "2026-03-12T21:00:00",
  "cluster_name": "bh_log_boe",
  "resources": {
    "cpu": {
      "usage_percent": 65.5,
      "wait_time_ms": 15,
      "context_switches": 10000
    },
    "memory": {
      "used_gb": 128.5,
      "total_gb": 256.0,
      "usage_percent": 50.2
    },
    "disk": {
      "used_gb": 5120.0,
      "total_gb": 10240.0,
      "usage_percent": 50.0,
      "iops_read": 5000,
      "iops_write": 3000
    }
  }
}

查询负载报告

{
  "analysis_time": "2026-03-12T21:00:00",
  "query_load": {
    "qps": 500,
    "concurrent_queries": 50,
    "query_types": {
      "SELECT": 70,
      "INSERT": 20,
      "UPDATE": 5,
      "DELETE": 3,
      "DDL": 2
    },
    "peak_hours": [
      "10:00-11:00",
      "14:00-15:00",
      "20:00-21:00"
    ]
  }
}

📚 更多信息

详细使用说明请参考 bytehouse-mcp skill

最后更新: 2026-03-12

Comments

Loading comments...