SQL Report Generator
AdvisoryAudited by VirusTotal on Mar 27, 2026.
Overview
Type: OpenClaw Skill Name: sql-report-generator Version: 1.0.1 The sql-report-generator skill bundle is a comprehensive and legitimate tool for creating data-driven reports and dashboards. The codebase consists of statistical analysis logic (scripts/ai_insights.py), a large library of industry-standard dashboard templates (scripts/dashboard_templates.py), and UI components for HTML report generation (scripts/interactive_components.py). The security review found no evidence of data exfiltration, malicious execution (such as eval/exec or unauthorized shell commands), or harmful prompt injection. The use of base64 encoding is strictly limited to embedding matplotlib-generated charts into HTML reports, and the dependencies listed in requirements.txt are standard data science libraries.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A report generated from untrusted or contaminated data could run unwanted JavaScript in the viewer’s browser.
The HTML renderer inserts dynamic Insight fields directly into HTML with no visible escaping or sanitization. Because the skill generates insights from DataFrame/SQL report data, malicious source strings could become executable markup when a user opens or shares the generated report.
html_parts.append(f"{insight.title}") ... html_parts.append(f"<div class='meta-item'><span class='meta-label'>指标:</span> {insight.metric}</div>") ... html_parts.append(f"<div class='insight-description'>{insight.description}</div>")Escape all dynamic HTML fields, use a templating engine with auto-escaping, sanitize database text before report generation, and consider a restrictive Content Security Policy for generated HTML.
Installing dependencies changes the local Python environment and relies on package sources available at install time.
The skill requires dependency installation even though the registry install section says there is no install spec. Installing Python packages is expected for this reporting tool, but users should notice the extra setup and dependency provenance.
首次使用前必须安装依赖:`skillhub_install install_skill sql-report-generator` ... 手动安装 | `pip install -r requirements.txt`
Install in a virtual environment, review requirements.txt, and prefer pinned or internally mirrored dependencies for production use.
Readers may not realize that some report conclusions are produced automatically rather than written by a human analyst.
The skill directs the agent to avoid AI wording in outputs. This is not necessarily malicious because the module is described as statistical and not using an external AI API, but users should understand that recommendations are automatically generated.
输出时不要使用"AI洞察"、"AI分析"等词汇 ... 应使用"洞察分析"、"统计分析"等中性表述
Clearly disclose the analysis method, such as “automated statistical analysis,” especially for reports used in business decisions.