Skillv1.0.0

ClawScan security

Sql Server Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 11:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (SQL Server diagnostics via sqlcmd/T‑SQL) and contains only local SQL scripts, but there are packaging/information mismatches (missing declared env vars and undeclared SQL_DATABASE usage) and a few places where write actions (ALTER INDEX / DDL / KILL) are present and must be carefully controlled.
Guidance: This skill looks functionally consistent with being a SQL Server diagnostics toolkit, but there are a few red flags to check before installing or running it: - Metadata mismatch: the registry metadata lists no required env vars, but the SKILL.md declares SQL_SERVER, SQL_USER, and SQL_PASSWORD. Confirm your platform will present those credentials to the skill and won't silently run without them. - Undeclared env var: examples use SQL_DATABASE (e.g. -d "$SQL_DATABASE") which is not listed in the declared credentials. If your environment does not provide SQL_DATABASE, the example commands may fail or use defaults you don't expect. Ensure all needed variables are declared/provided. - Dangerous operations present: most supplied scripts are read-only DMVs, but there are separate sub-skill sections and scripts that produce ALTER INDEX, DROP or DDL statements and the KILL command is present (commented). Do NOT allow the agent to run these write/DDL scripts autonomously. Use a least-privilege monitoring login (VIEW SERVER STATE / VIEW DATABASE STATE, etc.) and avoid giving sysadmin privileges to the agent. - Operational controls: restrict this skill to user-invoked runs or require human approval before executing any non-read-only commands. Audit and review any generated CREATE/ALTER/DROP statements before applying them. If you want to proceed: validate the declared env vars on your platform (add SQL_DATABASE if needed), create a dedicated monitoring account with minimal permissions described in SECURITY.md, and ensure the agent is prevented from autonomously executing DDL or KILL commands.

Review Dimensions

Purpose & Capability: noteThe name and description match the actual content: T-SQL DMV scripts, index/schema guidance, execution plan help, and sqlcmd examples. Requiring SQL connection credentials is appropriate for this purpose. However the registry metadata at the top of the evaluation lists no required env vars while the SKILL.md frontmatter explicitly declares credentials (SQL_SERVER, SQL_USER, SQL_PASSWORD). That mismatch is an incoherence in packaging/metadata that should be resolved before trusting automatic wiring of credentials.
Instruction Scope: concernRuntime instructions tell the agent to run local sqlcmd with the provided credentials and to execute numerous DMV/read-only scripts — this is expected. But the examples and commands reference an environment variable SQL_DATABASE in multiple places that is not declared in the SKILL.md credentials block (only SQL_SERVER/SQL_USER/SQL_PASSWORD are declared). The skill also contains scripts and guidance that propose ALTER INDEX and other DDL operations (these are declared in the write_access section, but such actions are powerful). The KILL command appears commented and is explicitly warned against, which is good, but the presence of destructive/DDL SQL in the repo means you must ensure the agent never runs those autonomously.
Install Mechanism: okThere is no install spec and the skill is instruction+script only, which minimizes supply-chain risk. The included build script only merges SKILL.md files and zips them locally; it does not download or execute remote code. The README mentions git/github release URLs (for manual install) but the skill itself does not perform downloads during runtime.
Credentials: noteRequesting SQL connection credentials (server/username/password) is proportional to performing SQL diagnostics. The SKILL.md also describes appropriate least-privilege permissions in SECURITY.md. That said, the earlier registry metadata showing 'no required env vars' contradicts the skill frontmatter. Also an example uses SQL_DATABASE which is not declared; confirm exactly which env vars the platform will provide before installing.
Persistence & Privilege: okThe skill is not marked always:true and does not request any system-level persistence. It contains no mechanism to modify other skills or global agent configuration. Autonomous invocation is allowed by default (disable-model-invocation is false) — that is normal but combined with DDL/write capabilities it means you should control when it runs and with which credentials.