ClawHub

Azure Cosmos DB Python

v0.1.0

Azure Cosmos DB SDK for Python (NoSQL API). Use for document CRUD, queries, containers, and globally distributed data. Triggers: "cosmos db", "CosmosClient", "container", "document", "NoSQL", "partition key".

1· 1.4k·0 current·0 all-time
by@thegovind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md examples, and the setup script all target Azure Cosmos DB NoSQL operations (create containers, partitioning, CRUD, queries). The requested capabilities are consistent with the stated purpose.
!
Instruction Scope
The runtime instructions and included CLI script expect COSMOS_ENDPOINT and optionally COSMOS_KEY (or DefaultAzureCredential). However the skill metadata declared no required environment variables. The setup script will perform management actions (create databases/containers, change throughput, run cross‑partition queries and count items) that have broad read/write privileges on the account — appropriate for a DB tool but potentially dangerous if run with full account keys or against production data. The SKILL.md and script do not instruct reading unrelated files, but they do rely on DefaultAzureCredential which may surface system or user credentials transparently.
Install Mechanism
There is no install spec (instruction-only). SKILL.md recommends pip packages (azure-cosmos, azure-identity) which is expected and low-risk. No arbitrary downloads or archive extraction are present.
!
Credentials
The registry declares no required env vars, but SKILL.md and scripts require COSMOS_ENDPOINT and may require COSMOS_KEY (or DefaultAzureCredential). COSMOS_KEY is a full account key (high privilege). The omission of required env vars from metadata is an incoherence and increases risk because users may not realize they are asked for account credentials.
Persistence & Privilege
The skill is not always-on and does not request persistent platform privileges. It does not modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but not uniquely concerning here.
What to consider before installing
This skill appears to be a legitimate Cosmos DB helper, but exercise caution before installing or running its script. Key points: - Metadata omission: the skill metadata lists no required environment variables, yet SKILL.md and the included script require COSMOS_ENDPOINT and may use COSMOS_KEY or DefaultAzureCredential. Ask the publisher to declare required env vars explicitly. - High‑privilege credential: COSMOS_KEY is an account key that grants broad read/write/admin access. Do NOT provide a production account key to an untrusted skill. Prefer using a least‑privilege service principal or managed identity with only the needed permissions. - DefaultAzureCredential caveat: DefaultAzureCredential can pick up credentials from many sources (dev tooling, Azure CLI, managed identity). Be aware which identity will be used in your environment. - Code quality: the included setup_cosmos_container.py has a visible syntax/logic bug (malformed append of excluded path) which may cause runtime crashes — review/fix before running. The script will create containers, change throughput, and can run cross‑partition queries that enumerate counts of all items (possible data exposure), so test against a non‑production account first. Recommendations: ask the publisher for source/homepage, require them to update metadata to list required env vars, inspect and/or lint the script locally, and run only with a scoped test account or role with least privilege.

Like a lobster shell, security has layers — review code before you run it.

latestvk97arx43h76w226c7gadpa7rsh809rae

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments