ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

database-admin

提供数据库表结构设计、数据批量操作、复杂查询优化、类型处理及事务安全的全面数据库管理服务。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 254 · 2 current installs · 3 all-time installs
by@ericyang1234
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The files and SKILL.md implement the advertised DB-admin capabilities (create/alter tables, bulk insert, backup/restore, query optimization). However the package metadata claims no required credentials or config, while multiple scripts hard-code a specific DB host, port, user, database and password (192.168.1.136:35438, postgres/Hxkj510510, db roadflow). That mismatch (no declared env/credentials but embedded secrets) is incoherent and unexpected.
!
Instruction Scope
SKILL.md and scripts instruct operations that can modify or delete production data (CREATE/DROP/ALTER/TRUNCATE, bulk inserts, migrations, backups and cleanup of backup directories). Several scripts build SQL via string concatenation (no parameterization) and some will remove files from backup dirs. The runtime instructions do not require explicit confirmation or a declared safe sandbox — they contain connection info and examples that point at a specific target DB.
Install Mechanism
No install spec (instruction-only) reduces installer-level risk, but the skill bundle includes runnable Node.js scripts. There is no package install step, but if the agent or user runs the included scripts they will execute network and filesystem actions. package.json references a main script (scripts/index.js) that is not present (minor inconsistency).
!
Credentials
Declared requirements list no env vars or credentials, yet many files embed cleartext DB credentials and a specific host. Some scripts can fall back to environment variables, but multiple important scripts ignore env vars and use the hard-coded credentials. Requiring no secrets in metadata while shipping hard-coded secrets is disproportionate and risky.
Persistence & Privilege
The skill does not request platform-wide privileges (always:false) and does not modify other skills' configuration. Its actions are limited to the database and local backup paths referenced in scripts, which is appropriate for a DB-admin tool — but the combination with hard-coded credentials increases potential blast radius if those credentials are valid.
What to consider before installing
Key points to consider before installing or running: (1) The code and SKILL.md include an explicit DB host, database name and a hard-coded password (192.168.1.136:35438, roadflow, user postgres, password Hxkj510510). Metadata declares no required credentials — this is inconsistent. Treat those embedded credentials as sensitive and verify their origin and validity. (2) Many scripts perform destructive operations (ALTER, DROP, TRUNCATE, bulk INSERT, schema migrations) and cleanup of backup directories; do not run against production systems without code review and backups. (3) Several SQL statements are built by concatenating strings (risk of SQL injection); prefer parameterized queries. (4) Run the skill only in an isolated test environment first, audit all scripts, remove or replace any hard-coded credentials with environment variables, and confirm the intended target (this may be designed for a private internal DB). (5) If you do not recognize the provided host/credentials or do not have permission to access that database, do not execute these scripts. If you need this functionality, request a variant that reads DB connection info from validated env vars and includes safety confirmations/prompts before destructive actions.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.0
Download zip
adminvk97byeb96m9j0tb4288q47yen5830afbdatabasevk97byeb96m9j0tb4288q47yen5830afblatestvk97byeb96m9j0tb4288q47yen5830afbpostgresqlvk97byeb96m9j0tb4288q47yen5830afbschema-managementvk97byeb96m9j0tb4288q47yen5830afbsqlvk97byeb96m9j0tb4288q47yen5830afb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

数据库管理员 Database Admin 📜

"先严父后慈" —— 杜子美

本技能提供全面的数据库管理功能,包括表结构创建、数据操作、查询优化、类型处理(如 BIGINT)等。所有操作均遵循 SQL 最佳实践和事务安全原则。

核心能力

🔹 表结构设计

  • 自动设计最优表结构(主键、索引、约束)
  • 支持多种数据类型(TEXT、VARCHAR、BIGINT、UUID、JSONB、ENUM)
  • 自动创建适当的索引以提高查询性能
  • 设置外键约束和检查约束
  • 处理 NULL 值和默认值策略

🔹 数据插入

  • 批量插入大量数据(使用事务优化)
  • 处理 BIGINT 等大数类型数据
  • 验证数据类型兼容性
  • 避免主键冲突和外键违规

🔹 查询优化

  • 编写高效的 JOIN 查询
  • 聚合统计和分析查询
  • 子查询和 CTE 的使用
  • 执行计划分析和优化建议

🔹 数据库维护

  • CREATE TABLE、ALTER TABLE、DROP TABLE
  • INDEX 创建和 DROP INDEX
  • TRUNCATE 清空表(保留结构)
  • VACUUM 分析表
  • 备份和恢复操作

使用场景

当你需要以下操作时,请触发此技能:

  • "创建一个用户表,包含用户名、邮箱、注册时间"
  • "向 products 表中插入这些商品数据..."
  • "查询所有销售额超过 10 万元的订单"
  • "为 orders 表的 customer_id 创建索引"
  • "将 text_column 从 TEXT 转换为 VARCHAR(255)"
  • "批量导入 10 万条记录,使用事务优化"
  • "修复 BIGINT 类型数据溢出问题"

技术细节

本技能在幕后会使用:

  • 驱动: pg (PostgreSQL)
  • 连接池: pgpool 管理并发连接
  • 批量插入: 使用 COPY 或批量 INSERT 优化性能
  • 事务控制: 自动开启/提交事务,保证 ACID 属性
  • 错误处理: 捕获并报告约束违规、类型不匹配等

数据库配置(roadflow)

  • 主机: 192.168.1.136
  • 端口: 35438
  • 用户: postgres
  • 密码: Hxkj510510
  • 目标库: roadflow

示例用法

创建表

创建一个库存表 stock_info,包含:
- id (SERIAL PRIMARY KEY)
- product_name (VARCHAR(100))
- quantity (INT)
- price (DECIMAL(10,2))
- created_at (TIMESTAMP)
- 为 product_name 创建索引

插入数据

向 stock_info 表插入以下商品:
[{product_name: "苹果", quantity: 100, price: 8.5}, ...]

查询统计

计算每个类别的商品平均价格
WHERE quantity > 50
GROUP BY category
ORDER BY avg_price DESC

技能由杜甫(📜)编写,秉承"致君尧舜上,再使风俗淳"的务实精神

Files

15 total
Select a file
Select a file to preview.

Comments

Loading comments…