Realtime DB Query
v1.0.0Query Oracle and MySQL databases via JDBC thin driver using natural language. Supports chart generation (bar, pie, line) with automatic Feishu image delivery...
⭐ 1· 12·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code files implement JDBC-based Oracle/MySQL read-only queries, schema discovery, chart generation, and Feishu image delivery — this matches the skill description. However the manifest/metadata declares no required env vars or credentials while the code expects FEISHU_APP_ID, FEISHU_APP_SECRET and FEISHU_UNION_ID for automatic image delivery and may read TNS_ADMIN for Oracle wallets. That mismatch (undocumented required env vars) is notable.
Instruction Scope
SKILL.md instructs use of connection_manager.add_connection and describes memory/ connections.json and schema caching; the code follows that. The skill stores DB credentials in memory/connections.json (plaintext) and writes schema files into memory/, and will send generated images to Feishu if Feishu env vars are set. There are no hidden network endpoints beyond Maven central and Feishu, but automatic external delivery (Feishu) means query results / charts may leave the host if credentials are configured.
Install Mechanism
No platform install spec in the registry, but included scripts auto-download JDBC JARs from Maven Central (repo1.maven.org) which is expected. More concerning: chart_utils attempts to auto-install Python packages (pip install matplotlib) and system fonts via 'sudo apt-get install fonts-noto-cjk' — this invokes system package manager with sudo and may alter the host environment. The use of --break-system-packages and requiring sudo elevates install risk; these behaviors should be manually reviewed and run in a controlled environment.
Credentials
The code expects Feishu credentials (FEISHU_APP_ID, FEISHU_APP_SECRET, FEISHU_UNION_ID) and may use TNS_ADMIN for Oracle wallets, but the skill metadata declares no required env vars or primary credential. Storing DB passwords locally in memory/connections.json is functional but sensitive. Automatic downloads and potential network calls are proportional to the skill's function but the undocumented Feishu env requirement and plaintext local storage are problematic for deployment without review.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. It writes to its own skill directory (lib/, memory/, charts/) and will persist DB connection credentials and cached schemas there. The ability to run sudo apt-get (via chart_utils) is a privilege escalation risk in practice if that script is executed on a host where the skill runs with the ability to use sudo.
What to consider before installing
Key things to consider before installing/using this skill:
- Expectation vs metadata: The package metadata declares no required env vars, but the code requires FEISHU_APP_ID, FEISHU_APP_SECRET and FEISHU_UNION_ID for automatic image delivery — provide those only if you trust the skill and the destination. If you don't want external delivery, do not set Feishu env vars or disable send_to_feishu.
- Credential storage: Database credentials are stored in memory/connections.json in plaintext. Do not use this skill with production credentials unless you accept local plaintext storage or implement secure storage/encryption.
- System changes: chart_utils will attempt to install Python packages and call 'sudo apt-get' to install fonts. Run install steps manually in a controlled environment (or container) rather than letting the skill auto-run these commands. Review and run install_jdbc.sh yourself; it downloads JARs from Maven Central (expected) but will write files into the skill directory.
- Network endpoints: JDBC drivers are downloaded from repo1.maven.org (standard). Feishu API calls go to open.feishu.cn — if you enable Feishu, generated images and metadata will be sent there. Ensure that transmitting schema/query results to Feishu complies with your data policies.
- Review & isolate: Inspect the scripts locally and run in an isolated environment (container/VM) before granting access to sensitive databases. Consider using read-only DB users and limiting network access for the environment where this skill runs.
- If you need further confidence: ask the author for a signed release/homepage, or request that required env vars be declared in the registry metadata and that credential storage be encrypted or integrated with a secrets manager.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
db-query
Natural language database query skill for Oracle and MySQL via JDBC. JDBC drivers are downloaded automatically on first query — no manual setup required.
Usage
Add a connection
Oracle:
Use connection_manager.add_connection to add an Oracle connection.
Required: alias, db_type="oracle", user, password, jdbc_url
Optional: wallet_path (for TCPS/ADB connections)
MySQL:
Use connection_manager.add_connection to add a MySQL connection.
Required: alias, db_type="mysql", user, password, jdbc_url
Query
Use oracle_query.query() or mysql_query.query() to execute SQL.
Results are returned as formatted markdown tables.
Generate Charts
Use chart_utils.generate_chart(sql_results, chart_type="bar")
Supported types: bar, pie, line
Images are automatically delivered via Feishu.
Schema Discovery
Use schema_discovery.get_tables() to discover database schema.
Use schema_discovery.get_columns(table_name) to get column details.
FK relationships are cached for JOIN optimization.
Memory
Connection metadata is stored in memory/connections.json.
Schema DDL is cached in memory/ per connection alias.
Timeout
Fuzzy table/column matching has a 1-minute timeout. On timeout: provide more specific table/column names or request a schema update.
Files
11 totalSelect a file
Select a file to preview.
Comments
Loading comments…