ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SQLBot

v1.0.0

Manage SQLBot workspaces, datasources, ask-data flows, and dashboards, including listing and switching workspace or datasource context, asking questions agai...

0· 74·0 current·0 all-time
by@xuwei-fit2cloud

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xuwei-fit2cloud/sqlboot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SQLBot" (xuwei-fit2cloud/sqlboot) from ClawHub.
Skill page: https://clawhub.ai/xuwei-fit2cloud/sqlboot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install sqlboot

ClawHub CLI

Package manager switcher

npx clawhub@latest install sqlboot
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and description (managing SQLBot workspaces, datasources, dashboards) match the bundled script's behavior, but the registry metadata lists no required environment variables or credentials while the SKILL.md and sqlbot_skills.py clearly require SQLBOT_BASE_URL, SQLBOT_API_KEY_ACCESS_KEY, and SQLBOT_API_KEY_SECRET_KEY. That mismatch between declared requirements and actual needs is an incoherence the user should be aware of.
Instruction Scope
SKILL.md gives concrete CLI mappings that run the included python script; instructions stay within the stated purpose (listing/switching workspaces, asking questions, exporting dashboards). The skill will check for and read a .env file and persists a local state file with current workspace/datasource. Exporting uses Playwright to drive a browser and attaches API authentication headers to the frontend preview page. Nothing in SKILL.md instructs broad unrelated data collection, but the skill executes a bundled script (so code will run locally) and can read .env files and write the state file — verify which paths are read/written (skill dir vs CWD).
Install Mechanism
There is no install spec (instruction-only skill that executes the included Python file). This lowers supply-chain risk compared with arbitrary downloads. However, exports require an optional Playwright/browser dependency (user is told to pip install playwright and playwright install chromium), which will run a headful/headless browser to render the preview page.
!
Credentials
The script legitimately needs SQLBot credentials and base URL to call the SQLBot APIs and to sign short-lived API tokens. Those are appropriately scoped to the stated purpose, but the registry metadata did not declare them as required env vars — a discrepancy. Additionally, the skill writes a skill-local state file (default .sqlbot-skill-state.json) and may read .env from the skill directory or current working directory (per README), so sensitive credentials could be read from or persisted near the skill if not configured carefully.
Persistence & Privilege
The skill does persist its own local state file but does not request elevated platform privileges or 'always' inclusion. disable-model-invocation is set true (so the model is blocked from autonomously invoking the skill), reducing autonomous blast radius. The skill does not declare modifications to other skills or system-wide settings.
What to consider before installing
Before installing: (1) Recognize the mismatch — the registry says no env vars, but the skill and its SKILL.md require SQLBOT_BASE_URL, SQLBOT_API_KEY_ACCESS_KEY, and SQLBOT_API_KEY_SECRET_KEY. Do not provide production/privileged API keys until you've inspected and tested. (2) Review sqlbot_skills.py source yourself (it is bundled) to confirm how it reads .env and where it writes the state file; explicitly set SQLBOT_STATE_FILE to a location you control if needed. (3) Exports use Playwright: the browser will load the SQLBot frontend preview and the script will attach authentication headers — be aware that rendering the page may cause third-party resources to be fetched; use a safe/test environment when trying exports. (4) Prefer testing against a local or staging SQLBot instance and short-lived API credentials. (5) Ask the publisher to update registry metadata to declare the required env vars and document exact .env lookup behavior (skill dir vs current dir). If you cannot verify these details, treat the skill as risky and avoid supplying sensitive keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97105r6cetsv363x755vdfe0183ypv0
74downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@xuwei-fit2cloud
latest
Download

SQLBot Workspace Datasource Dashboard Skill

Use this skill when the user wants to operate SQLBot workspaces, datasources, ask-data flows, or dashboards from Claude Code / Agent Skills compatible tools.

This skill wraps the bundled script ${CLAUDE_SKILL_DIR}/sqlbot_skills.py.

Before you run it

  1. Check whether ${CLAUDE_SKILL_DIR}/.env exists.
  2. If it does not exist, tell the user to copy ${CLAUDE_SKILL_DIR}/.env.example to .env and fill in:
    • SQLBOT_BASE_URL
    • SQLBOT_API_KEY_ACCESS_KEY
    • SQLBOT_API_KEY_SECRET_KEY
  3. For export requests, if Playwright is missing, tell the user to install it with:
pip install playwright
playwright install chromium

Map the user request to one of these commands

  • List workspaces:
python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" workspace list
  • Switch workspace:
python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" workspace switch "<workspace>"
  • List datasources:
python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" datasource list --workspace "<workspace>"
  • Switch datasource:
python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" datasource switch "<datasource>" --workspace "<workspace>"
  • Ask data:
python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" ask "<question>" --datasource "<datasource>" --workspace "<workspace>"

or continue an existing chat:

python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" ask "<question>" --chat-id 101
  • List dashboards:
python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" dashboard list --workspace "<workspace>"

Optional flags:

  • --node-type folder

  • --node-type leaf

  • --flat

  • Show dashboard:

python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" dashboard show "<dashboard-id>" --workspace "<workspace>"
  • Export dashboard:
python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" dashboard export "<dashboard-id>" --workspace "<workspace>" --format png --output "./dashboard.png"

or

python3 "${CLAUDE_SKILL_DIR}/sqlbot_skills.py" dashboard export "<dashboard-id>" --workspace "<workspace>" --format pdf --output "./dashboard.pdf"

Execution rules

  • Prefer exact workspace names or numeric workspace IDs when switching or querying.
  • Prefer exact datasource names or numeric datasource IDs when switching or asking.
  • Remember that SQLBot dashboard APIs are scoped by the current workspace and current user, so switch workspace before listing or showing dashboards in another workspace.
  • Datasource list and ask-data also depend on the current workspace context.
  • SQLBot has no standalone datasource-switch API, so datasource switch updates the skill-local state file and ask uses that datasource by default when starting a new chat.
  • Preserve the user's requested output path for exports whenever possible.
  • If the user does not provide an export path, use the script default.
  • Summarize the command output clearly after execution.

Additional resources

  • Detailed usage and installation notes: reference.md
  • Repository overview and manual usage examples: README.md

Comments

Loading comments...