by 安全扫描
OpenClaw
可疑
medium confidence该技能的声明用途(SQL 生命周期审计)与其让 agent 执行的命令相符,但运行时说明遗漏了关键操作要求(dbskiter CLI 二进制文件以及数据库凭据/连接如何提供),导致技能本身不连贯,直接运行可能存在风险。
评估建议
Before 安装ing or enabling this 技能: 1) Ask the author to declare required dependencies (explicitly 列出 dbskiter as a required binary and its minimum version). 2) Require explicit documentation for how database connections/凭证s are supplied (环境 variables, config files, or an external connector) and ensure least-privilege 凭证s are used (read-only, limited-模式). 3) 验证 dbskiter's provenance (official 网页site/GitHub release) and review what data it 发送s off-host — confirm it doesn't exfiltrate data. 4) Be ca...详细分析 ▾
⚠ 用途与能力
The 技能 is described as an SQL 审计ing 工具 and the 技能.md repeatedly references the dbskiter 命令行工具 and 应用ropriate 审计/ddl/优化 commands — that aligns with the 状态d purpose. However, the manifest does not declare dbskiter as a required binary and gives no detAIl about how the 命令行工具 will 认证 to tar获取 databases (no required env vars/config paths). A legitimate SQL-审计 技能 would normally declare the 命令行工具 dependency and how to supply DB 凭证s or connection config.
⚠ 指令范围
运行time instructions explicitly tell the 代理 to 运行 dbskiter commands using a --database=<name> argument and to 审计 files by path. The 技能.md assumes the existence of a working dbskiter 安装ation and an 访问ible database connection but does not instruct how 凭证s or connection strings are provided or 保护ed. That omission grants the 代理 broad implicit authority (it may end up 访问ing databases or local files) without declaring those requirements.
✓ 安装机制
This is an instruction-only 技能 with no 安装 spec and no code files, so there is no 安装er or 归档 to review. This lowers 安装-time risk. However, the 技能.md depends on an external 命令行工具 (dbskiter) that is neither provided nor declared.
⚠ 凭证需求
The 技能 requires connecting to databases (per the commands) but declares no required 环境 variables, primary 凭证, or config paths. That is disproportionate: database 凭证s/connection 信息 are necessary for the described functionality and should be explicitly declared. The omission makes it unclear how secrets are supplied and handled.
✓ 持久化与权限
The 技能 does not 请求 always:true and does not attempt to modify other 技能s or 系统-wide 设置tings. Autonomous invocation is allowed (平台 default) but does not combine with other privilege escalations in the manifest.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install dbskiter-db-sql-auditor
镜像加速npx clawhub@latest install dbskiter-db-sql-auditor --registry https://cn.longxiaskill.com 镜像可用
技能文档
SQL审核 Skill 何时使用 当用户提到以下关键词时,使用此skill: 用户说法 | 执行命令 | 说明 “审核SQL” | dbskiter --output-mode=ai --database= audit sql "" | 审核单条SQL “检查规范” | dbskiter --output-mode=ai --database= audit sql "" | 检查SQL规范 “DDL影响” | dbskiter --output-mode=ai --database= audit ddl "" | 分析DDL影响 “审核文件” | dbskiter --output-mode=ai --database= audit file | 审核SQL文件 “查看规则” | dbskiter --output-mode=ai --database= audit rules | 查看审核规则
核心命令
- 审核SQL
- DDL影响分析
- 审核SQL文件
- 查看规则
- SQL优化
- 索引推荐
- 执行计划分析
- 成本估算
- SQL重写
审核类型 syntax:语法规范 performance:性能规范 security:安全规范 style:编码风格 ddl:DDL规范
AI决策流程 场景1:用户说“审核这条SQL” 步骤1:提取用户提供的SQL 步骤2:执行 dbskiter --database= audit sql "" 步骤3:解读审核评分和问题列表 步骤4:给出修复建议
场景2:用户说“这个DDL有什么影响” 步骤1:提取DDL语句 步骤2:执行 dbskiter --database= audit ddl "" 步骤3:解读影响分析结果 步骤4:给出执行建议(如低峰期执行)