by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent: it is an instruction-only SQL reviewer that asks for user-provided SQL and returns a structured report, and it does not request extra credentials, installs, or surprising system access.
评估建议
This skill is coherent and appears to do static SQL review only. Before installing: (1) avoid pasting sensitive production data (passwords, full PII) into queries you submit; (2) if you are uncomfortable with the 'self-improvement' behavior, check whether your agent stores review counts or shared memory — the skill's instructions expect the agent to track counts but do not specify where; (3) remember the skill is not connecting to your database — it cannot run queries or validate runtime plans, ...详细分析 ▾
✓ 用途与能力
The name/description (review SQL for correctness, security, performance) matches the SKILL.md instructions. No unrelated environment variables, binaries, or install steps are required. The lack of homepage/source is inconvenient for provenance but does not create an obvious capability mismatch given this is instruction-only.
ℹ 指令范围
Instructions focus on static analysis of SQL provided by the user and list specific checks to run. They do not instruct reading system files, environment variables, or contacting external endpoints. One item to note: the 'self-improvement' instruction asks the agent to count findings across reviews and surface top anti-patterns after 20 reviews — that implies maintaining state across runs (agent memory or external storage) but the skill gives no guidance on how/where to persist that data.
✓ 安装机制
No install spec and no code files — lowest-risk, instruction-only skill. Nothing is downloaded or written to disk by the skill itself.
✓ 凭证需求
No environment variables, credentials, or config paths are requested. The checks described (injection patterns, indexes, joins, etc.) are consistent with this lack of external credentials.
ℹ 持久化与权限
always:false and no elevated privileges — appropriate. However, the self-improvement instruction implicitly requires persistence of review counts; if the agent implements that by writing to memory or storage, users should be aware that aggregated findings may be retained. The skill itself does not request persistent privileges or system-wide changes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/22
Initial release of sql-query-reviewer skill. - Reviews SQL queries for correctness, performance, and security issues across major dialects - Detects common problems: N+1, missing indexes, injection risks, cartesian joins, implicit casts, and more - Returns structured review reports with severity ratings and optimized rewrites - Highlights what’s correct alongside actionable fixes and summary recommendations - Supports PostgreSQL, MySQL, SQLite, SQL Server, Oracle, BigQuery, Snowflake, and ANSI SQL - Learns from usage to surface the top 3 most common SQL issues over time
● 无害
安装命令 点击复制
官方npx clawhub@latest install sql-query-reviewer
镜像加速npx clawhub@latest install sql-query-reviewer --registry https://cn.clawhub-mirror.com
技能文档
Description
Review SQL queries across any dialect for correctness, performance, and security. Finds N+1 patterns, missing indexes, injection risks, cartesian joins, and implicit type casts. Returns a structured report with severity ratings and optimized rewrites.使用 当...时
- "optimize 查询"
- " SQL safe"
- "为什么 my 查询 slow"
- "check my SQL"
- " injection-safe"
- 任何 raw SQL 查询, ORM-generated SQL, 或 migration file
Supported dialects
PostgreSQL, MySQL, SQLite, SQL Server (T-SQL), Oracle, BigQuery, Snowflake — and any ANSI SQL.输入框
Paste the SQL query or queries. Optionally specify:- Dialect (defaults 到 generic ANSI SQL)
- Approximate 表 sizes (helps 带有 索引 advice)
- Whether 在...中 hot path (e.g., called 在...上 every 请求)
- ORM 在...中 使用 (如果 applicable)
输出 格式
## SQL Query ReviewCritical (fix before production)
- [Finding] — [why this causes bugs or data loss]
✗ Before: [problematic SQL]
✓ After: [corrected SQL]Performance (should fix)
- [Finding] — [estimated impact]
✗ Before: [slow SQL]
✓ After: [optimized SQL]Suggestions (nice to have)
- [Finding] — [explanation]
What's correct
- [Specific patterns done right]
Summary
[2–3 sentences: biggest risk, top fix, index recommendations if any]
Review checklist
Correctness
空comparison 使用=代替 的空不 在...中带有 subquery 可以 return NULLs — always 假UNION代替 的UNION 所有当...时 duplicates acceptable (unnecessary dedup)- Wrong join 类型:
INNER当...时LEFTneeded, 或 vice versa - Cartesian join (missing
在...上clause 或 cross join 没有 intent) - Aggregate 没有
分组 由在...上 non-aggregated columns - 错误 使用 的
拥有vs在哪里 - 日期/时间 arithmetic 在...中 wrong timezone
Security
- 字符串 interpolation 进入 查询 — SQL injection risk
- 用户-supplied 值 在...中
ORDER 由,LIMIT, 表/列 name - Missing parameterisation 在...中 dynamic SQL
- Overly broad
SELECTexposes sensitive columns - Missing 行-level security 过滤
Performance
SELECT当...时 仅 specific columns needed (excess data transfer)- Missing
在哪里clause 在...上 large 表 scan 点赞 '%值%'— 可以't 使用 索引 (leading wildcard)- 函数 applied 到 indexed 列 在...中
在哪里— defeats 索引 - N+1: 查询 inside 循环 could single JOIN
- Missing 索引 在...上 foreign 键 或 frequently filtered 列
- Subquery re-executes per 行 — 使用 CTE 或 JOIN 代替
ORDER 由 RAND()或 equivalent — 满 表 scan- Unbounded 结果 设置 带有 否
LIMIT
样式
- Inconsistent case (keywords, identifiers)
- Ambiguous 列 reference 没有 表 alias
- Long 查询 带有 否 CTEs 到 break 进入 readable steps
- Magic 数字 带有 否 评论 explaining
Severity definitions
- Critical: Correctness bug (wrong results), injection risk, 或 data loss — fix 之前 production
- Performance: Causes slow queries, 满 scans, 或 poor scalability — fix 之前 release
- Suggestion: Readability, maintainability, 或 defensive coding improvement
Self-improvement instructions
After each review, note the most common finding. After 20 reviews, surface the top 3 SQL anti-patterns seen as "Most common SQL issues" at the top of the response.数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制