Database Skill
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: database-skill Version: 1.1.0 The database-skill bundle is a comprehensive and professionally developed tool for managing Volcengine database instances. It follows security best practices by enforcing read-only SQL execution for standard queries and requiring a ticket-based approval workflow for DML/DDL changes. Credential management is handled safely, with explicit instructions in SKILL.md to avoid leaking secrets via shell commands. The codebase (scripts/toolbox.py, scripts/dbw_client.py) uses standard libraries for HMAC-SHA256 request signing and API interaction, while the analysis components (scripts/multi_source_analyzer.py) utilize DuckDB and Pandas for local data processing. No evidence of prompt injection, data exfiltration, or malicious execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act using the database/cloud privileges of the configured credentials, including listing instances, querying metadata/data, and creating change tickets.
The skill loads cloud/API credentials from the environment and .env. This is expected for a database cloud integration, but it gives the skill delegated access to the user's database/workbench account and is not reflected in the registry credential declarations.
self.ak = ak or os.environ.get("VOLCENGINE_ACCESS_KEY")
self.sk = sk or os.environ.get("VOLCENGINE_SECRET_KEY")
self.api_base = os.environ.get("ARK_SKILL_API_BASE")
self.api_key = os.environ.get("ARK_SKILL_API_KEY")Use least-privilege credentials, scope them to the intended region/instances, and avoid providing production-wide keys unless you intend the skill to access them.
Database request details may be routed through a configured gateway that users may not realize is in use.
When ARK_SKILL_API_BASE and ARK_SKILL_API_KEY are present, database API requests can be sent through an environment-defined API gateway with a bearer token. The visible SKILL.md mainly documents Volcengine credentials and does not clearly describe this gateway trust boundary.
url = f"{self.api_base.rstrip('/')}/?Action={action}&Version=2018-01-01"
headers = {
"Content-Type": "application/json",
"Authorization": f"Bearer {self.api_key}",Before use, verify ARK_SKILL_API_BASE points to a trusted service, or unset the ARK gateway variables and use explicitly scoped Volcengine credentials.
Sensitive database query results or local files used for analysis can remain on disk and may be reused or exposed in later sessions.
The analyzer persists registered dataframes/files into a DuckDB database under /tmp and explicitly keeps the file after exit, with no visible retention limit or default cleanup.
DB_PATH = os.path.join(tempfile.gettempdir(), 'multi_source_analyzer.duckdb')
...
# 退出时不删除文件,下次可以继续使用
pass
...
self._duck_conn.execute(f"CREATE OR REPLACE TABLE {name} AS SELECT * FROM df")Only analyze data you are comfortable storing locally, and delete /tmp/multi_source_analyzer.duckdb and generated workspace artifacts after sensitive analyses.
The skill can perform powerful database operations, but the documented workflow attempts to prevent direct high-risk mutations.
The skill exposes SQL execution and database-change workflows, but the instructions explicitly constrain direct SQL execution to read-only operations and route writes through work orders.
execute_sql 只能执行只读操作(SELECT、SHOW、EXPLAIN)。你绝不能通过 execute_sql 执行 INSERT/UPDATE/DELETE/DDL... 写操作必须通过工单函数
Review every generated SQL statement and any DML/DDL change ticket before approval, especially on production databases.