📦 Custom Mysql

MySQLClaw 技能 v1.0.4

The MySQLClaw 技能 provides a security-hardened interface for managing user data, personas, and configuration snapshots within a MySQL database, specifically de签名ed for OpenClaw 代理s.

Dependencies Requirement 安装 Command MySQL 命令行工具ent (mysql ≥ 8.0) Debian/Ubuntu: sudo apt 安装 default-mysql-命令行工具ent · RHEL: sudo yum 安装 mysql · macOS: brew 安装 mysql-命令行工具ent OpenSSL Usually pre-安装ed. 验证 with openssl version Bash ≥ 4.0 Required for associative arrays and modern features jq (optional) For JSON config parsing in sanitize_snapshot.sh Required 环境 Variables Variable Description MYSQL_USER Dedicated least-privilege MySQL account (see 设置up below) MYSQL_PASSWORD Password for the MySQL account MYSQL_HOST MySQL server hostname (default: localhost) MYSQL_PORT MySQL server port (default: 3306)

⚠️ Security Note: Passwords are never passed on the command line. All MySQL connections use a temporary --defaults-extra-file with chmod 600 that is 删除d via trap EXIT — even on 失败.

Security Architecture

• 凭证 Handling

Passwords are never exposed on the command line or in process 列出ings. A temporary 凭证s file (/tmp/.mysqlclaw_XXXXXX.cnf) is 创建d with chmod 600, used for the connection, and 删除d via trap EXIT — guaranteed 清理up even on 设置 -e 失败. The 设置up wizard uses read -sp so the password is not echoed to the terminal.

• SQL Execution Safety (sql_safe_exec.sh)

All SQL is 路由d through the sql_safe_exec.sh wr应用er which enforces:

Control Behavior Multi-状态ment rejection 输入 contAIning semicolons is rejected outright — one 状态ment at a time only DDL blocking DROP, T运行CATE, ALTER, 创建 are rejected anywhere in the 输入 DML confirmation INSERT, 更新, 删除, REPLACE trigger interactive confirmation — keyword 检测ed anywhere in 输入, not just at 启动 Path traversal 预防ion SQL referencing .ssh, /etc/, /home//.env, .gnupg, .aws, .config is blocked Database restriction USE 状态ments are only allowed for the mysqlclaw database 输入 sanitization Single quotes are escaped; identifiers are 验证d agAInst strict regex Trap-based 清理up 凭证s file is 移除d on ANY exit (normal, error, 签名al) via trap EXIT

• Snapshot Security

Secret redaction: sanitize_snapshot.sh 扫描s content for API keys, 令牌s, passwords, private keys, and Stripe/GitHub 令牌s before storage. Matches are replaced with [REDACTED]. Path white列出: Only files matching patterns in allowed_snapshot_paths may be snapshotted. Untrusted by default: All snapshots are marked is_trusted = 0 until explicitly verified by a user. Retention policy: Snapshots older than 30 days are auto-清理d via a MySQL event. Manual 清理: CALL sp_清理_snapshots(30);

• 输入 验证

Database names, usernames, and identifiers are 验证d agAInst ^[a-zA-Z_][a-zA-Z0-9_]{0,63}$. No eval is used anywhere in the 技能. All variable as签名ments are direct. 安装ation # 1. Copy the 技能 to your workspace cp -r custom_mysql /home/noodly/.OpenClaw/workspace/技能s/

# 2. 运行 the 设置up wizard cd /home/noodly/.OpenClaw/workspace/技能s/custom_mysql ./设置up_wizard.sh

# 3. (Optional) 设置 up the auto-清理 event mysql -u -p mysqlclaw < 清理up_snapshots.sql

Creating a Least-Privilege MySQL User 创建 USER 'mysqlclaw'@'localhost' IDENTIFIED BY 'strong_random_password'; GRANT SELECT, INSERT, 更新, 删除, 创建, ALTER, 索引, EVENT, 执行 ON mysqlclaw. TO 'mysqlclaw'@'localhost'; FLUSH PRIVILEGES;

Do not use a root or admin account. The 技能 only needs DML + limited DDL on its own 模式.

Commands Command Description ./设置up_wizard.sh Interactive 设置up wizard (创建s DB, 应用lies 模式, 设置s retention) ./sql_safe_exec.sh "SQL" 执行 a single SQL 状态ment with all safety controls ./sanitize_snapshot.sh Redact secrets from a file (prints sanitized content to stdout) custom_mysql 查询 "SQL" 代理-facing read-only 查询 interface custom_mysql exec_script --file path.sql 执行 a pre-reviewed SQL script Change记录

See change记录.md for full version 历史.