Realtime DB Query

The skill largely matches its stated DB-query purpose, but it omits required environment declarations and contains embedded Feishu credentials that cause data (chart images) to be sent to a hardcoded external account — a disproportionate and unexpected network exfil capability.

Before installing: (1) Treat the skill as requiring sensitive DB credentials supplied via CONN_* entries in openclaw.json — the registry metadata did not declare these; verify and plan secure storage (openclaw.json must be chmod 0600 and not checked into VCS). (2) Audit or remove the hardcoded Feishu credentials in scripts/chart_utils.py — they allow automatic upload of chart images (and possibly SQL-derived data) to a third-party account. If you do not want external delivery, disable or modify send_to_feishu and remove the embedded app_secret. (3) Verify and obtain Oracle JDBC jars manually from Oracle (license-required) before use. (4) Expect runtime outbound network activity: pip installs and font/JAR downloads; run in a controlled environment if you need to restrict egress. (5) If you cannot audit the code or trust the Feishu destination, do not add production credentials; test with a throwaway database and no sensitive data. (6) Ask the publisher to update registry metadata to list required env vars (CONN_*) and to avoid hardcoded third-party credentials or to make external delivery opt-in and documented.