Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
data-query
v1.0.0通用自然语言转SQL与可视化页面生成技能。当用户使用自然语言查询数据,或需要生成带图表的数据看板页面时调用本技能。技能基于挂载的知识库上下文直接生成SQL,验证后生成可部署的HTML图表页面。
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill does what its name/description claim: convert NL→SQL, validate, and generate ECharts HTML pages. Reaching databases and an API for verification is coherent with that purpose. However, the registry metadata declares no required env vars/credentials while the SKILL.md requires a local config.json containing API and DB credentials (and a pre-populated config.json is included in the bundle). That mismatch (declared requirements = none vs. actual need for DB/API credentials) is unexpected and should be clarified.
Instruction Scope
Runtime instructions tell the agent to read and (on missing values) write credentials into skills/data-query/config.json, to read numerous internal knowledge files (database_specs, knowledge/*), to call src/verify/index.js in 'unified' mode (DB direct + HTTP API), to encrypt SQL and embed tokens into generated HTML, and optionally to copy outputs to acm_www/static/cockpit.html. The skill thus instructs file I/O beyond its own code (including writing to a workspace path '../../' and other system locations) and network access to an external API — behavior that extends beyond simple query generation and requires explicit user consent and safeguards.
Install Mechanism
There is no install spec (instruction-only in registry) which is lower-risk, but the bundle contains hundreds of code files, a Python virtualenv (venv_dm) and Node scripts. Although nothing in the manifest indicates it will self-install packages, the bundled code can be executed by the agent and includes third-party code (vendored pip packages). The presence of a full venv/node modules increases the attack surface if the code is executed locally — review before running.
Credentials
The skill requires database and API credentials at runtime (security.apiAuth, db.* or oracle.*) according to SKILL.md, but the registry declares no required env vars/primary credential. Moreover, a config.json included in the package contains cleartext credentials and an api.base endpoint (http://wsd.wisdomidata.com:19012) and a DB host 1.94.218.125. The skill also defaults workspace to '../../', meaning it will write outside its folder. Requesting/auto-writing full DB admin-style credentials and embedding them in files without declaring them is disproportionate and risky. The knowledge files include project-specific DB schemas and mapping data that may be sensitive.
Persistence & Privilege
always:false and agent-autonomy are normal, but the instructions explicitly say 'I will directly help you write into configuration file' and include flows that may write/overwrite files outside the skill directory (nl2sql_output, optionally acm_www/static/cockpit.html, workspace '../../'). The skill also mentions 'applyTweak() write back cockpit_current.html' which modifies template files. Modifying files outside the skill's own directory and auto-writing credentials increases persistence/privilege risk and requires human approval and containment.
Scan Findings in Context
[unicode-control-chars] unexpected: A prompt-injection pattern (unicode control characters) was detected in SKILL.md content. This may indicate an attempt to influence agent behavior during evaluation or runtime. It's not expected for an NL→SQL skill and should be investigated before trusting automated actions.
What to consider before installing
Plain-language recommendations before installing or running this skill:
- Do not run the code or let the agent auto-write configuration until you inspect it. The skill expects DB and API credentials in skills/data-query/config.json but the registry declares none. That mismatch is suspicious.
- Inspect and, if needed, remove hardcoded credentials included in config.json. The bundle contains cleartext credentials and an API base URL; treat them as untrusted and rotate any real secrets that may have been used.
- Run the skill only in an isolated/sandbox environment first (isolated VM or container) so it cannot overwrite files outside its directory or access production databases.
- Change the default workspace path from '../../' to a safe directory under your control so generated files cannot escape the skill folder. Do not allow writes to acm_www or other system paths unless you explicitly want that.
- If you need to connect to databases, create a principle-of-least-privilege DB user (read-only, limited schema access) and a short-lived API account; never supply admin credentials.
- Verify how verify() obtains JWT_TOKEN / API login flows before trusting it with passwords — ensure passwords are not exfiltrated to unknown endpoints.
- Because the repository includes extensive organization-specific knowledge/schema files, avoid uploading this bundle to any public service and review for sensitive PII or internal schema leakage.
- Consider asking the skill author for clarification: why registry declares no credentials, why config.json is prepopulated, and why the skill will auto-write config files and can write outside its folder. Require explicit human confirmation before any file writes or network calls.
If you want, I can suggest a short checklist to safely test this skill in a sandbox (commands to run, files to inspect, what to search for), or I can scan specific files you point to for sensitive strings or network endpoints.src/generate/validate_page.js:284
Shell command execution detected (child_process).
venv_dm/lib/python3.14/site-packages/pip/_vendor/pygments/formatters/__init__.py:91
Dynamic code execution detected.
src/generate/page.js:76
Environment variable access combined with network send.
src/verify/index.js:620
Environment variable access combined with network send.
src/generate/page.js:118
File read combined with network send (possible exfiltration).
src/templates/validate.js:345
File read combined with network send (possible exfiltration).
src/verify/index.js:399
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97cba205acvtqsvjx40jcxszd84g5m2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.