by 安全扫描
OpenClaw
安全
medium confidenceThe skill's code, instructions, and resource access are consistent with a local database health-check/reporting tool; it appears to do what it claims and does not request unrelated credentials or remote APIs, with a few operational notes to consider.
评估建议
This skill appears coherent for local DB health checks and report generation, but review these before installing: 1) Only run it against databases you are authorized to inspect. 2) If you enable SSH collection, be aware AutoAddPolicy() auto-accepts host keys — avoid using that over untrusted networks. 3) Check logs/history (autoDoc.log, history.json) on first runs to ensure no sensitive secrets are being written in your environment. 4) ai_config.json points to localhost by default; if you change...详细分析 ▾
✓ 用途与能力
Name/description (DB health checks + local AI suggestions) match the included scripts: MySQL/Postgres collectors, report generation, optional SSH-based system metrics, and local Ollama integration. Required resources (DB creds, optional SSH creds) are appropriate for the stated functionality.
ℹ 指令范围
SKILL.md and scripts limit network/AI calls to local resources (ai_config.json defaults to localhost) and instruct the agent to run included Python scripts. The code will accept DB and SSH credentials to connect and will write reports, history.json and logs into the skill directory. Two operational risks to note: (1) SSH collectors use paramiko.AutoAddPolicy() to auto-accept host keys (documented in SKILL.md) which is convenient for internal usage but can introduce MITM risks if used on untrusted networks; (2) scripts create/write license and log files (mysql_inspector.lic, autoDoc.log, reports/, history.json) — they state that passwords are not persisted, but you should verify logs/history do not inadvertently include secrets in your environment.
✓ 安装机制
This is an instruction-only skill (no install spec). It relies on standard Python packages and tells users how to pip-install missing dependencies. No remote archive downloads or opaque installers are present in the manifest.
✓ 凭证需求
The skill requests no environment variables or external credentials beyond the DB/SSH credentials required for its job. The ai_config.json is local-only and defaults to Ollama on localhost. The license manager writes a license file locally; no unrelated cloud credentials or tokens are requested.
ℹ 持久化与权限
always:false (normal). The skill writes files to its own directory (reports/, history.json, autoDoc.log, mysql_inspector.lic). Creating a local license file with a long trial/permanent default is unusual but contained to the skill directory. Autonomous invocation (disable-model-invocation:false) is the platform default and not flagged alone.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.82026/4/10
**本版本强化安全,完全杜绝AI数据外传,所有AI分析仅支持本地Ollama,全面增加用户安全感知和本地数据隔离说明。** - AI 智能诊断功能现仅允许连接本地 Ollama,禁止远程 API(如 OpenAI/DeepSeek/custom);代码和 Web 层面强制后端和 URL 地址双重校验 - 技术文档新增可视化的数据流向和安全架构详解,明确所有敏感数据仅在本地流转 - 明确说明本地文件结构、内容、是否含敏感信息等,增强合规性和用户理解 - SKILL.md 进一步细化凭据用途、写入机制、敏感信息处理逻辑 - 清理代码/文档中关于远程AI的逻辑与描述,强制 KYC 仅为本地大模型生成建议 - 兼容原 Word 报告、历史数据、Web UI 能力说明,未
● 无害
安装命令 点击复制
官方npx clawhub@latest install dbcheck
镜像加速npx clawhub@latest install dbcheck --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制