ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Museum Data Manager

Manage and query museum database records, track data collection status, verify completeness, and export museum data in JSON, CSV, or SQL formats.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 21 · 0 current installs · 0 all-time installs
by@jackandking
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, manifest.env and SKILL.md all align: the tool manages a MySQL museum database and requests MYSQL_HOST / MYSQL_USER / MYSQL_PSWD / DATABASE. Asking for DB credentials is appropriate for this purpose. Minor inconsistency: the code depends on the external 'mycli' binary but the manifest/requirements do not list it as a required binary.
!
Instruction Scope
SKILL.md instructs only database-related operations. However the runtime instructions (museum.py) execute arbitrary SQL supplied by users (museum query and other interpolated values) without sanitization, enabling SQL injection if untrusted input is used. The code also runs an external command (mycli) and passes the DB password on the command line, exposing it in process listings.
Install Mechanism
No install spec — instruction-only with an included Python script. Nothing is downloaded from external URLs or installed automatically. This is low-risk from an install mechanism perspective.
Credentials
The only environment variables requested are MySQL connection credentials, which are proportionate. However, the credential handling is insecure: the password is passed as a command-line argument to subprocess.run (exposed to other local users/process inspectors). Consider using more secure credential handling (socket, .my.cnf, or parameterized DB client).
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed by default but not itself a concern here.
What to consider before installing
This skill appears to do what it claims (manage a MySQL museum DB) and only asks for DB credentials, but the implementation has insecure practices you should address before trusting it with real data. Key points to consider: - Review the code yourself (museum.py) before installing from an unknown source. The source/owner are not verified. - Avoid supplying high-privilege credentials. Create a dedicated MySQL user with the minimum privileges needed (SELECT/INSERT/UPDATE/DELETE only as required), not root. - The script shells out to the external 'mycli' program and passes the password on the command line, which can expose the password to other local users/process inspectors. Prefer a client that supports secure credential files or socket auth, or modify the tool to use a Python MySQL client (pymysql/mysql-connector) with parameterized queries. - The tool constructs SQL statements by string interpolation (e.g., custom query, list/get filters). Do not use it with untrusted inputs; sanitize or parameterize queries to avoid SQL injection. - Ensure 'mycli' is installed from a trusted source if you plan to use it; the manifest does not declare it as a required binary. - Run this tool in a controlled environment (isolated machine or container) if the database or environment is sensitive. Verify exported files (JSON/CSV) are stored where you expect and protected. If you cannot review or modify the code, consider rejecting or sandboxing this skill until these issues (command-line password exposure and unsanitized SQL) are resolved.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971ttb69d0gph1kvph3x27v21831cnj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Museum Skill - Museum Data Operations

A skill for reading, querying, and managing museum database operations.

Overview

This skill provides standardized interfaces for operating a museum database, supporting:

  • Querying museum lists and details
  • Checking data collection progress
  • Validating data integrity
  • Exporting data

Perfect for museum data collection projects that need to track and manage information about museums, their collections, and related media.

Installation

# Via clawhub
clawhub install museum

# Or manually
git clone <repository>
cd museum-skill
clawhub link .

Configuration

Set these environment variables in your shell or agent configuration:

export MYSQL_HOST="your-database-host"
export MYSQL_USER="your-username"
export MYSQL_PSWD="your-password"
export DATABASE="museumcheck"  # default name

Or add to your agent's workspace TOOLS.md for automatic loading.

Quick Start

# List all museums
museum list

# Get details of a specific museum
museum get "Museum Name"

# Check collection statistics
museum stats

# Find museums with missing data
museum check

Commands

1. List Museums

museum list [options]

Options:
  --status=STATUS     Filter by status (complete, partial, pending)
  --location=LOC      Filter by location/province
  --limit=N          Limit results (default: 50)
  --offset=N         Pagination offset

Examples:
  museum list --status=complete --limit=10
  museum list --location=Beijing
  museum list --limit=20 --offset=20

2. Get Museum Details

museum get <ID|NAME>

Examples:
  museum get "Shaanxi History Museum"
  museum get dd44a9d7c1ad4a4ba21e00e5f60a7b7e

3. View Statistics

museum stats

Shows:
- Total museum count
- Completed/partial/pending breakdown
- Distribution by location
- Data completeness metrics

4. Check Data Integrity

museum check [ID]

Without ID: Shows museums with missing data
With ID: Checks specific museum completeness

5. Export Data

museum_export --format=FORMAT --output=FILE

Formats:
  json  - JSON format
  csv   - CSV format
  sql   - SQL INSERT statements

Examples:
  museum export --format=json --output=museums.json
  museum export --format=csv --output=museums.csv

6. Custom Query

museum query "SQL_STATEMENT"

Example:
  museum query "SELECT name, location FROM museums WHERE status='complete';"

Database Schema

The skill expects this database structure:

CREATE DATABASE IF NOT EXISTS museumcheck 
CHARACTER SET utf8mb4 
COLLATE utf8mb4_unicode_ci;

CREATE TABLE IF NOT EXISTS museums (
    id VARCHAR(32) PRIMARY KEY,
    name VARCHAR(200) NOT NULL,
    location VARCHAR(100),
    type VARCHAR(100),
    visitors VARCHAR(50),
    is_free VARCHAR(10),
    precious_artifacts VARCHAR(50),
    total_artifacts VARCHAR(50),
    exhibitions VARCHAR(50),
    introduction TEXT,
    top3_artifacts JSON,
    building_photo VARCHAR(500),
    collected_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    status VARCHAR(20) DEFAULT 'pending',
    data_sources TEXT,
    INDEX idx_location (location),
    INDEX idx_status (status)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

Initialize with:

# The skill will auto-create tables, or you can use:
mysql -h $MYSQL_HOST -u $MYSQL_USER -p$MYSQL_PSWD < schema.sql

Use Cases

Data Collection Workflow

# 1. Check current progress
museum stats

# 2. Get pending items for batch processing
museum list --status=pending --limit=5

# 3. After collecting data, verify completeness
museum check <museum_id>

# 4. Export for backup
museum export --format=json --output=backup.json

Finding Incomplete Records

# Museums missing introductions
museum query "SELECT name, location FROM museums WHERE introduction IS NULL;"

# Museums missing photos
museum query "SELECT name, location FROM museums WHERE building_photo IS NULL;"

# Count by status
museum query "SELECT status, COUNT(*) FROM museums GROUP BY status;"

Batch Operations

# Export only complete records
museum query "SELECT * FROM museums WHERE status='complete';" > complete.csv

# Find museums in a specific region
museum list --location=Shaanxi

Integration with Agent Workflows

In an Agent Task

## Data Collection Task

Use the museum skill to track your progress:

1. Check what's already done:
   ```bash
   museum stats

  1. Get items to work on:

    museum list --status=pending --limit=5

  2. After collecting data for each item:

    • Update the database
    • Verify with museum check <id>

  3. Report progress:

    museum stats


### Automation Example

```bash
#!/bin/bash
# daily_backup.sh

# Export complete data
museum export --format=json --output="backups/museums_$(date +%Y%m%d).json"

# Check for incomplete items
museum check > "reports/incomplete_$(date +%Y%m%d).txt"

Troubleshooting

Connection Failed

# Check environment variables
echo $MYSQL_HOST $MYSQL_USER

# Test connection manually
mycli -h $MYSQL_HOST -u $MYSQL_USER -p$MYSQL_PSWD -e "SELECT 1;"

No Results

  • Verify database name: echo $DATABASE
  • Check if table exists: museum query "SHOW TABLES;"
  • Verify data exists: museum query "SELECT COUNT(*) FROM museums;"

Permission Denied

Ensure your MySQL user has:

  • SELECT, INSERT, UPDATE, DELETE on the database
  • Or full privileges: GRANT ALL ON museumcheck.* TO 'user'@'%';

Tips

  1. Batch Processing: Use --limit and --offset for pagination
  2. Status Tracking: Use status field to track collection progress
  3. JSON Fields: top3_artifacts stores array data; query with JSON functions
  4. UTF8 Support: Database uses utf8mb4 for international character support

Contributing

Contributions welcome! Please submit issues and pull requests.

License

MIT License

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…