SQL Master
v1.0.1SQL 查询、数据获取智能体。覆盖 SQL 全链路能力:自然语言转生产级 SQL、慢查询诊断与执行计划分析、索引设计与优化、数仓建模、SQL 原理深度科普、查询结果可视化。支持 MySQL / PostgreSQL / Hive / Spark SQL / ClickHouse / BigQuery 多方言。触发...
⭐ 4· 192·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md, and included scripts (database_connector.py, file_connector.py, pipeline modules and many SQL reference docs) align: the skill implements SQL generation/diagnosis, local file loading, DB connectors and pipeline orchestration for visualization/reporting. The declared capabilities reasonably explain the included files.
Instruction Scope
Runtime instructions focus on installing Python dependencies and using the provided pipeline and connectors. They explicitly enable reading local files (CSV/Excel/SQLite) and connecting to databases when the user supplies connection parameters. The SKILL.md does not instruct the agent to read unrelated system config or to transmit data to unknown external endpoints. Note: the documentation expects the user/agent to provide DB credentials at call time (via function args), so credential handling happens at runtime and is not declared as environment requirements.
Install Mechanism
No formal install spec was declared in the metadata, but SKILL.md tells users to run 'skillhub_install install_skill sql-master' or 'pip install -r requirements.txt'. The code bundle includes a requirements.txt (contents not shown). This is a common pattern; risk is the usual pip dependency risk (third‑party packages may be pulled). There are no obvious download-from-URL or archive-extract instructions in the provided materials.
Credentials
The registry metadata does not request environment variables or credentials. The skill requires credentials only when the user chooses to connect to a DB (credentials are provided as function parameters in examples). This is proportionate to its purpose. Users should avoid supplying production/high-privilege credentials to untrusted skills.
Persistence & Privilege
The skill does not request always:true, does not declare privileged persistence, and does not attempt to modify other skills/configs in the provided docs. It runs as an optional skill and expects explicit invocation or user-supplied actions.
Assessment
This skill appears to do what it says: generate and optimize SQL, connect to databases, load local files, and build charts/reports. Before installing: (1) Inspect requirements.txt to see which Python packages will be installed and whether any network-capable packages are included; (2) Prefer running installation inside an isolated virtualenv/container; (3) Never paste high-privilege production credentials into examples — create a read-only or limited user for testing; (4) If you plan to allow the skill to connect to databases or local files, review the scripts (database_connector.py, file_connector.py, unified_pipeline.py) for any unexpected network calls or uploads; (5) Because the package owner is unknown and there is no formal install spec in the registry metadata, exercise standard caution (sandbox install, review third-party dependencies). If you can share the requirements.txt and the full content of the connector scripts, I can re-check for network endpoints, hard-coded secrets, or suspicious behavior and raise the confidence of this assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk9709xntxdp4hc0zbh3fkammxh83ppp7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.