ClawHub

GraphCare — Structural Database Health Scanner

v1.0.0

Structural database health scanner. Audits schema topology for orphaned tables, missing indexes, nullable FKs, circular dependencies — without ever reading r...

0· 77·0 current·0 all-time
byNLR@nlr-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description claim a read-only schema auditor for Postgres/MySQL/SQLite. The code imports pg, mysql2, and sql.js and issues metadata queries (information_schema, pg_indexes, PRAGMA) consistent with the stated capability. Required binary is only node; no unrelated credentials or external endpoints are requested.
Instruction Scope
SKILL.md and index.js describe only metadata queries and JSON-RPC receipt of connection strings via stdin. The Postgres adapter shown issues only information_schema/pg_indexes/pg_index queries (metadata-only). However: index.js imports readFileSync and sql.js (likely used for SQLite). Reading a SQLite file with sql.js necessarily reads the DB file into memory — even if only metadata queries are executed, that process touches the file on disk. Also SKILL.md asserts connection strings are 'never exposed in process listings' (true if delivered via stdin/JSON-RPC), but that guarantee depends on how the MCP runtime is configured (if someone passes connection URIs as process args, they could appear in ps). Finally, SKILL.md suggests Docker usage but no Dockerfile is present in the provided files (inconsistency).
Install Mechanism
There is no install spec in the registry bundle (instruction-only), but a package.json and package-lock are included so the tool is intended to be run with node and standard npm dependencies. Dependencies are typical for an MCP server that speaks to databases (@modelcontextprotocol/sdk, pg, mysql2, sql.js). No remote arbitrary downloads or suspicious install URLs were present in the bundle.
Credentials
The skill requests no environment variables or credentials. That matches its stated purpose: it operates on a connection string supplied at runtime. There are no requests for unrelated secrets or config paths.
Persistence & Privilege
Flags show always:false and no claims of permanently altering agent/system configuration. The code asserts 'STATELESS' and the package manifest does not request escalated privileges; nothing in the bundle suggests persistent presence or modification of other skills.
Assessment
GraphCare appears to implement a schema-only audit and is internally consistent, but take these precautions before installing: 1) Prefer invoking audits by passing connection URIs over the MCP JSON-RPC (stdin) rather than as process args to avoid leaking URIs in process listings. 2) If you plan to audit SQLite files, realize sql.js/readFileSync will read the DB file from disk — review the code and consider running scans in an isolated environment if the DB contains sensitive row data. 3) The SKILL.md shows Docker-based installation but no Dockerfile is included; follow safe install practices (review package.json and package-lock, install dependencies from their registries, run in a sandbox or container you control). 4) If you need higher assurance, request the full (untruncated) index.js for manual review or run the tool against a non-production snapshot first. Overall the skill looks coherent with its stated purpose, but validate how you supply connection strings and where you run it.

Like a lobster shell, security has layers — review code before you run it.

databasevk97cc8xwvhph1520gntye72kw583cwedhealthvk97cc8xwvhph1520gntye72kw583cwedlatestvk97cc8xwvhph1520gntye72kw583cwedmcpvk97cc8xwvhph1520gntye72kw583cwedmysqlvk97cc8xwvhph1520gntye72kw583cwedpostgresqlvk97cc8xwvhph1520gntye72kw583cwedsecurityvk97cc8xwvhph1520gntye72kw583cwedsqlitevk97cc8xwvhph1520gntye72kw583cwed

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡 Clawdis
Binsnode

SKILL.md

GraphCare — Structural Database Health Scanner

The first structural antivirus for AI databases. Scans your schema topology for hidden problems — without ever touching your data.

Why

AI agents evolve schemas at speed. But nobody audits the structure. Over time:

  • Foreign keys lose their indexes (JOINs slow to a crawl)
  • Tables drift into isolation (orphaned, unreachable data)
  • Primary keys go missing (replication breaks, ORMs fail)
  • Nullable FKs create silent referential gaps
  • Circular dependencies make inserts impossible
  • Redundant indexes waste disk and slow writes

GraphCare catches all of this in one scan.

Zero-Trust by Design

GraphCare only queries metadata (information_schema, PRAGMA, pg_indexes). It is structurally impossible for it to read, leak, or mutate your row data.

  • READ-ONLY: Zero writes, zero mutations
  • NO ROW DATA: Only schema metadata is accessed
  • STATELESS: Memory purged after every scan

Setup

GraphCare is an MCP server. Add it to your MCP client config:

{
  "mcpServers": {
    "graphcare": {
      "command": "node",
      "args": ["/path/to/graphcare/index.js"]
    }
  }
}

Or run via Docker:

docker build -t graphcare .
docker run -i graphcare

Or install from npm:

npm install -g graphcare-mcp
graphcare-mcp

Tools

audit_db_structure

Full structural scan. Pass a connection string, get a complete health report.

Parameters:

  • connection_string (required) — Database URI: postgresql://, mysql://, sqlite:///path/to/db, or just file.db

Returns: JSON report with:

  • db_type — Database engine detected
  • tables[] — All tables found
  • findings[] — Each structural issue with type, severity, table, and message
  • metrics{} — Counts per finding type + computed health_score (0-100)

Example:

Use graphcare to audit my database at postgresql://localhost:5432/myapp

The agent calls audit_db_structure with the connection string and receives a structured JSON report.

explain_finding

Plain-language explanation of any finding type. Includes severity, impact, and recommended fix.

Parameters:

  • finding_type (required) — One of: orphaned_table, missing_fk_index, duplicate_index, nullable_fk, no_primary_key, circular_dependency
  • context (optional) — Table or column name for specific advice

What GraphCare Detects

FindingSeverityImpact
Orphaned TablesWarningStructurally isolated dead weight
Missing FK IndexesCritical#1 cause of slow JOINs and DELETEs
No Primary KeyCriticalBreaks replication and ORMs
Nullable Foreign KeysWarningHidden referential integrity gaps
Circular DependenciesWarningMakes clean inserts impossible
Duplicate IndexesInfoWasted disk, slower writes

Supported Databases

  • PostgreSQL — Full 6-finding detection via information_schema + pg_indexes
  • MySQL — Full detection via information_schema
  • SQLite — Full detection via sqlite_master + PRAGMA

Security

This tool runs read-only queries against database metadata catalogs only. It never executes SELECT on user tables, never writes, and holds no state between invocations. Connection strings are received via MCP JSON-RPC over stdin — never exposed in process listings.

Built by Mind Protocol.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…