ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SnowflakeDataEngineer

v1.0.0

Execute read-only Snowflake SELECT queries with forbidden keyword blocking, row limits, timeouts, and structured JSON results.

0· 412·0 current·0 all-time
by@tiagohubnerdataplatform
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (read-only SELECT execution) matches the code's behavior in broad strokes, but the package requires Snowflake connection parameters (SNOWFLAKE_USER, ACCOUNT, WAREHOUSE, DATABASE, SCHEMA, ROLE, private key path) as seen in app/config.py — yet the registry metadata lists no required env vars or primary credential. The skill therefore implicitly requires secrets/credentials that are not declared in the metadata.
!
Instruction Scope
SKILL.md and skill.yaml indicate a simple HTTP entrypoint to execute validated SELECT queries. However, the code loads environment variables with python-dotenv (load_dotenv()), which will read a .env file from the environment and populate credentials automatically. This can cause the skill to pick up any secrets present in a local .env file. The validator enforces SELECT-only and blocks explicit DDL/DML keywords, but validation is pattern-based (case-normalized regex) and does not comprehensively parse SQL; there are potential edge cases (complex statements, unusual tokenization) that merit review.
Install Mechanism
There is no install spec, but a requirements.txt lists fastapi, uvicorn, snowflake-connector-python, python-dotenv, and pydantic. The absence of an install step in the registry metadata is an operational mismatch: dependencies are required for the code to run, but the platform metadata doesn't declare how or when they will be installed. The packages themselves are from common PyPI projects (traceable) but will need to be installed in the runtime.
!
Credentials
The code expects multiple Snowflake-related environment variables (including a private key path) which are sensitive credentials. The registry metadata did not declare these as required env vars or a primary credential, so the skill is asking for broad environment access without documenting it. Also, the use of python-dotenv means a local .env file (potentially containing other secrets) will be loaded automatically, increasing the risk of accidental exposure.
Persistence & Privilege
The skill is not configured as always:true and does not request system-wide persistence or modify other skills' configuration. It runs as an HTTP service entrypoint at localhost:8000/execute, which is a standard deployment pattern and does not itself grant elevated platform privileges.
What to consider before installing
Key things to consider before installing or running this skill: - Declared vs actual requirements: The registry metadata claims no required credentials, but the code expects Snowflake credentials (user, account, warehouse, database, schema, role, and possibly a private key path). Do not provide these until you confirm how the skill will be hosted and how secrets are supplied. - dotenv risk: app/config.py calls load_dotenv(), so the skill will read a .env file from its working directory and populate environment variables. If you run this agent in an environment with a .env containing unrelated secrets, the skill could pick those up. Run the skill in an isolated environment or remove/override load_dotenv() if you cannot guarantee .env contents. - Authentication and metadata mismatch: skill.yaml lists authentication: none while the service needs Snowflake credentials; confirm whether your platform will inject credentials, and if so ensure least-privilege (a Snowflake role with strictly read-only permissions). Require explicit declaration of needed env vars before trusting the skill. - Validate the validator: The SQL validator is regex-based and appends a LIMIT if missing. Regex checks are brittle — consider stronger protections (reject multiple statements, disallow statement separators, use a SQL parser, or enforce LIMIT server-side). Also ensure ALTER SESSION and other session-level settings are acceptable in your environment. - Dependency & deployment: requirements.txt lists third-party packages (including the Snowflake connector). Ensure dependencies are installed from trusted sources and run the service in a sandbox/container with limited network/file access. - Testing: Before giving production credentials, run the service with test-only credentials in an isolated environment to confirm behavior and logging. Review logs and network activity to ensure there are no unexpected outbound endpoints. If you need, I can list concrete hardening changes (explicit env declarations in skill metadata, remove load_dotenv or restrict to a named file, stricter SQL parsing, and explicit error handling) or produce a checklist for secure deployment.

Like a lobster shell, security has layers — review code before you run it.

Snowflakevk9760r61gdgzryyhm0byjkqb6581t37qlatestvk9760r61gdgzryyhm0byjkqb6581t37q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments