ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MYSQL QUERY

v1.0.1

Query project databases with automatic SSH tunnel management. Use when you need to execute SQL queries against configured databases, especially those accessi...

8· 3.2k·16 current·17 all-time
by@zenixp
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description state: run MySQL queries with SSH tunnel management. The included script implements exactly that: reads a JSON config, optionally starts an SSH tunnel (ssh/sshpass), and runs the mysql client. No unrelated services or credentials are requested by the code.
Instruction Scope
SKILL.md and the script operate within expected scope: they read a single config file (default ~/.config/clawdbot/db-config.json), use environment variables for DB/SSH passwords, establish SSH tunnels, and invoke the local mysql client. The instructions do not ask the agent to read unrelated files, contact external endpoints other than SSH/mysql hosts, or collect extra system data. Note: the script prints examples and lists configured databases when the config is missing.
Install Mechanism
This is instruction-only (no install spec) which minimizes installer risk. However SKILL.md and INSTALL.md reference copying config from /usr/lib/node_modules/... and require local binaries (mysql client, ssh, optionally sshpass) even though the registry metadata lists 'required binaries: none'. That mismatch is a packaging/metadata omission you should be aware of — the tool will fail at runtime if mysql/ssh (and sshpass when using password-based SSH) are not installed.
Credentials
The script uses environment variables for credentials (DB_PASSWORD_<NAME>, SSH_PASSWORD_<NAME>) and sets MYSQL_PWD/SSHPASS only for subprocess execution. No other unrelated environment variables or cloud credentials are requested. Requiring secrets for the databases you're connecting to is proportional to the functionality.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills' configurations. It runs only when invoked by the user/agent.
Assessment
This skill appears to do what it claims (manage SSH tunnels and run MySQL queries). Before installing or using it: - Ensure the local mysql client and ssh are installed (and sshpass if you plan to use password-based SSH). The registry metadata does not declare these requirements, so install them manually if needed. - Prefer key-based SSH authentication rather than sshpass/SSH passwords; if you use passwords, be aware environment variables and process environments can be observable on some systems. - Verify the config file location (~/.config/clawdbot/db-config.json) and file permissions to protect stored secrets. The example encourages storing secrets in env vars rather than the file — follow that advice. - Note the script uses 'StrictHostKeyChecking=accept-new' which will automatically accept new host keys; if you need stricter host verification, edit the script or your SSH options. - Optionally review the included scripts/db_query.py yourself (it's small and readable) before use. The code contains no hidden network endpoints or exfiltration behavior, but it does invoke external programs (ssh, mysql) and will connect to whatever hosts are configured in your config file.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a52kmy90388mme3j3c9nf1982707s
3.2kdownloads
8stars
2versions
Updated 6h ago
v1.0.1
MIT-0
@zenixp
latest
Download

Database Query

Overview

Query databases through a centralized configuration file with automatic SSH tunnel management. Handles connection details, SSH tunnel setup/teardown, and query execution.

Security

Passwords are never exposed in process lists. The skill uses environment variables for credentials:

  • MYSQL_PWD for database passwords (passed to mysql client)
  • SSHPASS for SSH tunnel passwords (passed to sshpass)

Recommended: Store credentials in environment variables instead of the config file for better security.

Configuration

Setup

  1. Create config file at ~/.config/clawdbot/db-config.json:

    mkdir -p ~/.config/clawdbot
# Copy example config and edit
cp /usr/lib/node_modules/clawdbot/skills/db-query/scripts/config.example.json ~/.config/clawdbot/db-config.json

  2. Add database entries with these fields:

    • name: Description used to find the database (required)
    • host: Database host (required)
    • port: Database port (default: 3306)
    • database: Database name (required)
    • user: Database user (required)
    • password: Database password (optional, can use env var)
    • ssh_tunnel: Optional SSH tunnel configuration

  3. SSH tunnel configuration (if needed):

    • enabled: true/false
    • ssh_host: Remote SSH host
    • ssh_user: SSH username
    • ssh_port: SSH port (default: 22)
    • local_port: Local port to forward (e.g., 3307)
    • remote_host: Remote database host behind SSH (default: localhost)
    • remote_port: Remote database port (default: 3306)

Environment Variables (Recommended)

Instead of storing passwords in the config file, use environment variables:

# Format: DB_PASSWORD_<DATABASE_NAME> (spaces replaced with underscores, uppercase)
export DB_PASSWORD_PRODUCTION_USER_DB="your_db_password"

# Format: SSH_PASSWORD_<DATABASE_NAME> for SSH tunnel password
export SSH_PASSWORD_PRODUCTION_USER_DB="your_ssh_password"

Example Config

{
  "databases": [
    {
      "name": "Production User DB",
      "host": "localhost",
      "port": 3306,
      "database": "user_db",
      "user": "db_user",
      "password": "",
      "ssh_tunnel": {
        "enabled": true,
        "ssh_host": "prod.example.com",
        "ssh_user": "deploy",
        "local_port": 3307
      }
    }
  ]
}

Set environment variables (recommended):

export DB_PASSWORD_PRODUCTION_USER_DB="your_db_password"
export SSH_PASSWORD_PRODUCTION_USER_DB="your_ssh_password"

Usage

List Databases

python3 /usr/lib/node_modules/clawdbot/skills/db-query/scripts/db_query.py --list

Query a Database

python3 /usr/lib/node_modules/clawdbot/skills/db-query/scripts/db_query.py \
  --database "Production User DB" \
  --query "SELECT * FROM users LIMIT 10"

The script will:

  1. Find database by matching description in config
  2. Start SSH tunnel (if configured)
  3. Execute query
  4. Automatically close SSH tunnel (important for cleanup)

With Custom Config Path

python3 /usr/lib/node_modules/clawdbot/skills/db-query/scripts/db_query.py \
  --config /path/to/custom-config.json \
  --database "test" \
  --query "SHOW TABLES"

Requirements

  • MySQL client: apt install mysql-client or equivalent
  • SSH client: usually pre-installed on Linux/Mac
  • Python 3.6+

Notes

  • SSH tunnels are automatically closed after query execution
  • Use --list to see all configured databases and their descriptions
  • Database search is case-insensitive partial match on name field
  • Local ports for SSH tunnels should be unique per database

Comments

Loading comments...