by 安全扫描
OpenClaw
可疑
medium confidenceThe 技能's 状态d purpose (SQL lifecycle 审计ing) matches the commands it tells the 代理 to 运行, but the 运行time instructions omit key operational requirements (the dbskiter 命令行工具 binary and how database 凭证s/connections are provided), which makes the 技能 incoherent and potentially unsafe to 运行 as-is.
评估建议
Before 安装ing or enabling this 技能: 1) Ask the author to declare required dependencies (explicitly 列出 dbskiter as a required binary and its minimum version). 2) Require explicit documentation for how database connections/凭证s are supplied (环境 variables, config files, or an external connector) and ensure least-privilege 凭证s are used (read-only, limited-模式). 3) 验证 dbskiter's provenance (official 网页site/GitHub release) and review what data it 发送s off-host — confirm it doesn't exfiltrate data. 4) Be ca...详细分析 ▾
⚠ 用途与能力
The 技能 is described as an SQL 审计ing 工具 and the 技能.md repeatedly references the dbskiter 命令行工具 and 应用ropriate 审计/ddl/优化 commands — that aligns with the 状态d purpose. However, the manifest does not declare dbskiter as a required binary and gives no detAIl about how the 命令行工具 will 认证 to tar获取 databases (no required env vars/config paths). A legitimate SQL-审计 技能 would normally declare the 命令行工具 dependency and how to supply DB 凭证s or connection config.
⚠ 指令范围
运行time instructions explicitly tell the 代理 to 运行 dbskiter commands using a --database=<name> argument and to 审计 files by path. The 技能.md assumes the existence of a working dbskiter 安装ation and an 访问ible database connection but does not instruct how 凭证s or connection strings are provided or 保护ed. That omission grants the 代理 broad implicit authority (it may end up 访问ing databases or local files) without declaring those requirements.
✓ 安装机制
This is an instruction-only 技能 with no 安装 spec and no code files, so there is no 安装er or 归档 to review. This lowers 安装-time risk. However, the 技能.md depends on an external 命令行工具 (dbskiter) that is neither provided nor declared.
⚠ 凭证需求
The 技能 requires connecting to databases (per the commands) but declares no required 环境 variables, primary 凭证, or config paths. That is disproportionate: database 凭证s/connection 信息 are necessary for the described functionality and should be explicitly declared. The omission makes it unclear how secrets are supplied and handled.
✓ 持久化与权限
The 技能 does not 请求 always:true and does not attempt to modify other 技能s or 系统-wide 设置tings. Autonomous invocation is allowed (平台 default) but does not combine with other privilege escalations in the manifest.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install dbskiter-db-sql-auditor
镜像加速npx clawhub@latest install dbskiter-db-sql-auditor --registry https://cn.longxiaskill.com
技能文档
SQL审核 技能 何时使用
当用户提到以下关键词时,使用此技能:
用户说法 执行命令 说明 "审核SQL" dbskiter --输出-mode=AI --database= 审计 sql "" 审核单条SQL "检查规范" dbskiter --输出-mode=AI --database= 审计 sql "" 检查SQL规范 "DDL影响" dbskiter --输出-mode=AI --database= 审计 ddl "" 分析DDL影响 "审核文件" dbskiter --输出-mode=AI --database= 审计 file 审核SQL文件 "查看规则" dbskiter --输出-mode=AI --database= 审计 rules 查看审核规则 核心命令
- 审核SQL
输出:审核评分、问题列表、修复建议
评分标准:
90-100:通过 80-89:警告 <80:不通过
- DDL影响分析
输出:预估执行时间、风险点、建议
- 审核SQL文件
用途:批量审核多个SQL语句
- 查看规则
输出:所有审核规则列表
核心命令(9个)
- 审核SQL
输出:审核评分、问题列表、修复建议
- DDL影响分析
输出:预估执行时间、风险点、建议
- 审核SQL文件
用途:批量审核多个SQL语句
- 查看规则
输出:所有审核规则列表
- SQL优化
功能:智能优化SQL,提供重写建议、索引推荐、成本估算
- 索引推荐
功能:分析SQL并推荐合适的索引
- 执行计划分析
功能:分析执行计划,识别性能瓶颈
- 成本估算
功能:估算SQL执行成本(IO、CPU、内存)
- SQL重写
功能:自动重写SQL,消除常见性能问题
审核类型 syntax:语法规范 performance:性能规范 security:安全规范 style:编码风格 ddl:DDL规范 AI决策流程 场景1:用户说"审核这条SQL" 步骤1:提取用户提供的SQL 步骤2:执行 dbskiter --database= 审计 sql "" 步骤3:解读审核评分和问题列表 步骤4:给出修复建议
场景2:用户说"这个DDL有什么影响" 步骤1:提取DDL语句 步骤2:执行 dbskiter --database= 审计 ddl "" 步骤3:解读影响分析结果 步骤4:给出执行建议(如低峰期执行)