首页龙虾技能列表 › DB Readonly — 技能工具

DB Readonly — 技能工具

v1.0.0

[自动翻译] Run safe read-only queries against MySQL or PostgreSQL for data inspection, reporting, and troubleshooting. Use when the user asks to read tables, ins...

0· 1,200·0 当前·0 累计
by @ryanhong666·MIT-0
下载技能包
License
MIT-0
最后更新
2026/2/10
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
high confidence
The skill's behavior (a shell script that requires DB credentials and runs queries) matches the description, but the registry metadata omits the required environment variables and there are practical risks in how credentials and outputs are handled.
评估建议
This skill appears to do what it claims (run read-only queries), but the package metadata failing to declare the required DB environment variables is a red flag — the skill will require your DB credentials even though that isn't advertised. Before installing or using it: (1) require the publisher to update metadata to list required env vars and clarify how secrets are handled; (2) only run against non-production or read-only accounts; create and use a DB user with minimal read-only privileges an...
详细分析 ▾
用途与能力
Name/description promise (read-only DB inspection for Postgres/MySQL) aligns with the script's behavior, but the skill metadata declares no required env vars/credentials while both SKILL.md and scripts rely on multiple DB credential env vars (PG*/MYSQL_*). That mismatch is a meaningful incoherence.
指令范围
SKILL.md limits actions to read-only queries and points to the script; it documents the connection env vars and safety rules. The runtime instructions do not instruct the agent to access unrelated files or external endpoints. However, the guidance to "avoid printing secrets" is advisory only and not enforced.
安装机制
No install spec (instruction-only + included script). Nothing is downloaded or written by an installer, which is low-risk from an install vector perspective.
凭证需求
The skill needs DB credentials (PGHOST/PGDATABASE/PGUSER/PGPASSWORD or MYSQL_HOST/MYSQL_USER/MYSQL_PASSWORD, etc.) but the registry lists none. The script exports MYSQL_PWD and PGPASSWORD and expects those env vars to exist — using these env-based secrets is functional but can be risky (possible exposure in environment, saved outputs, or misconfiguration). Required credentials are not declared in metadata, which prevents automated checks and least-privilege enforcement.
持久化与权限
always is false and the skill does not request persistent platform privileges or modify other skills/configs. Autonomous invocation is allowed (platform default) but not combined with other dangerous privileges here.
安装前注意事项
  1. require the publisher to update metadata to list required env vars and clarify how secrets are handled; (
  2. only run against non-production or read-only accounts; create and use a DB user with minimal read-only privileges and limited schemas; (
  3. inspect and test the script in an isolated environment — note it exports PGPASSWORD/MYSQL_PWD which can be exposed by some system tools; prefer client-side auth methods (.pgpass, socket auth, or IAM-based short-lived creds) if available; (
  4. be cautious when using --out (files may contain sensitive data) and avoid running complex user-provided SQL without review; and (
  5. if you must proceed, run the script on a guarded workstation/network and validate output before sharing. If the author cannot justify the missing metadata or confirm safe handling of credentials, treat the skill as untrusted.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/10
● 可疑

安装命令 点击复制

官方npx clawhub@latest install db-readonly
镜像加速npx clawhub@latest install db-readonly --registry https://cn.clawhub-mirror.com

技能文档

Use this skill for database read tasks only.

What this skill does

  • Connect to PostgreSQL or MySQL using connection env vars
  • Execute SELECT / WITH / EXPLAIN queries only
  • Optionally save output to CSV/TSV/JSON
  • Block risky SQL (INSERT, UPDATE, DELETE, DROP, ALTER, etc.)

Connection env vars

PostgreSQL

  • PGHOST
  • PGPORT (optional, default 5432)
  • PGDATABASE
  • PGUSER
  • PGPASSWORD

MySQL

  • MYSQL_HOST
  • MYSQL_PORT (optional, default 3306)
  • MYSQL_DATABASE
  • MYSQL_USER
  • MYSQL_PASSWORD

Run

Use script:

  • scripts/db_readonly.sh postgres "SELECT now();"
  • scripts/db_readonly.sh mysql "SELECT NOW();"

Export example:

  • scripts/db_readonly.sh postgres "SELECT * FROM users LIMIT 100" --format csv --out /tmp/users.csv

Safety rules

  • Refuse non-read SQL.
  • Prefer LIMIT for exploratory queries.
  • When user asks for updates/deletes/schema changes, ask explicit confirmation and do not run via this skill.
  • Avoid printing secrets from env vars.

Reference

  • Query cookbook: references/query-cookbook.md
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务