ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Highgo Db

通过瀚高数据库(HighGo DB)提供的自定义 psycopg2 驱动连接数据库。该驱动已内置于技能中,支持 Python 2.7 和国密 SM4 安全特性。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 59 · 0 current installs · 0 all-time installs
by@ygp987
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description promises a HighGo-custom psycopg2 driver (including SM4 features and compiled .so for Python 2.7) bundled in the skill. The file manifest contains many pure‑Python psycopg2 modules but does not include any compiled extension (e.g., _psycopg.so or other .so files) nor a homepage/source provenance. That makes the claim of an "builtin" compiled driver inconsistent: either the compiled binary is missing from the package or the skill expects system libraries that are not declared. This is disproportionate to the stated simple query-execution purpose.
Instruction Scope
SKILL.md instructs running scripts under Python 2.7 and passing DSN credentials on the command line (execute_query.py). The instructions do not request unrelated system files or credentials, but they do instruct use of Python 2.7 and setting LD_LIBRARY_PATH to load shared libraries — which is consistent only if compiled artifacts exist. Passing passwords on the command line can expose them via process lists; the instructions don't warn about that. No instructions to exfiltrate data or call external endpoints are present.
Install Mechanism
There is no install spec; the skill is instruction-only with vendored Python modules. That limits installer-level risk. However, the README/SKILL.md mention automatic LD_LIBRARY_PATH adjustments and AUR/PGP steps for Arch; without an install step in the skill, those are only documentation and may require manual system changes by the user.
Credentials
The skill declares no required environment variables or credentials, which matches the manifest. At runtime it expects the user to supply DB DSN/credentials (via CLI). The skill's claims about built-in compiled driver and specific system libraries (libpython2.7.so, libldap_r) imply system-level dependencies that are not tracked in metadata — this is a proportionality concern because the skill suggests more system access than it formally requests.
Persistence & Privilege
always is false and model invocation is allowed (defaults). The skill does not request permanent presence or modify other skills' configurations in the provided files. No privileged persistence behavior is observable.
What to consider before installing
This package looks like a vendored psycopg2 (pure-Python modules) but claims to include a HighGo-specific compiled driver and SM4 support — yet no compiled _psycopg/.so files or clear source/homepage are present. Before using: 1) Do not run on sensitive hosts or production systems; test in an isolated environment. 2) Verify whether the compiled driver (_psycopg or other .so) is actually provided elsewhere; the skill as packaged may fail or rely on system-installed binaries. 3) Be cautious passing DB passwords on the command line (exposed to other local users via process lists); prefer environment variables or protected config files if available. 4) Confirm provenance and license of the vendor driver (unknown source ID, no homepage). 5) Prefer official, up-to-date drivers where possible — this skill requires Python 2.7 (EOL) which raises security concerns. If you need to proceed, inspect scripts/execute_query.py and any runtime steps locally, and ensure necessary native libraries come from trusted sources.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk972whw1f8ehmntqp76sr7bz2983724v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

瀚高数据库 (HighGo DB) 连接技能

此技能允许使用瀚高提供的修改版 psycopg2 驱动连接瀚高数据库。该驱动已内置在技能的 assets/driver/ 目录下。

注意:内置驱动是针对 Python 2.7 编译的,必须在 Python 2.7 环境下运行。

核心功能

  1. 执行 SQL 语句: 在瀚高数据库中运行查询或管理指令。
  2. 内置驱动驱动支持: 自动加载集成在技能内部的瀚高专用 psycopg2 驱动。
  3. 环境适配: 脚本已适配 Python 2.7,并能自动处理内部共享库(.so)的加载。

运行环境要求

  • Python: 必须安装 Python 2.7。
  • 系统库:
    • libpython2.7.so.1.0
    • libldap_r-2.4.so.2 (或兼容版本)
  • Arch Linux 用户: 如遇到依赖或 PGP 密钥问题,请参阅 references/driver_info.md 的安装建议。

使用指南

1. 执行查询

直接使用 python2 调用技能内部的 execute_query.py。由于驱动已内置,通常无需指定驱动路径。

示例命令:

python2 highgo-db/scripts/execute_query.py \
  --dsn "host=10.238.18.128 port=5866 dbname=ficc user=fic password='PASSWORD' options='-c search_path=system'" \
  --sql "SELECT count(*) FROM sys_user;"

2. 注意事项

  • DSN 参数: 瀚高数据库通常需要指定 options='-c search_path=system' 来正确访问系统表。
  • 驱动覆盖: 如果需要使用外部驱动,仍可通过 --driver 参数手动指定。

参考资料

Files

17 total
Select a file
Select a file to preview.

Comments

Loading comments…