← Back to Skills Marketplace

AI NL2SQL

Name: AI NL2SQL
Author: billjamno58

by YK-Global · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install ai-nl2sql

Description

Convert natural language questions into SQL queries on your uploaded CSV/Excel files, execute them offline, and return results with optional charts.

Usage Guidance

Key things to consider before installing or using: - Privacy: If you use the PRO mode (supply an OpenAI API key), the skill builds a text prompt that includes the inferred schema and sample values from your uploaded CSV/Excel files and sends that to OpenAI. Do not use PRO mode with sensitive or confidential data unless you accept that those file-derived details will be transmitted to OpenAI. - Billing: The skill calls skillpay.me to charge per-call. SKILL_BILLING_API_KEY (sent as X-API-Key) is used to authenticate billing requests. The SKILL.md states Feishu IDs may be transmitted for billing — but the code currently passes static user IDs ('api_user'/'cli_user') in charge calls. Review skillpay.me's privacy/terms before supplying a billing API key. - Documentation mismatches: The README claims 'No data leaves the user's environment' — that is incorrect for PRO (OpenAI) mode. The registry metadata omits required env vars listed in SKILL.md. Treat those inconsistencies as a red flag and prefer to run the code in a controlled environment first. - Mitigations: (1) Use the FREE/rule-based mode when processing sensitive files (no OpenAI calls). (2) Run the CLI locally (inspect network traffic) or in an isolated environment if you must test PRO mode. (3) If you must use PRO, provide your own OpenAI API key (so the skill does not use any third-party stored key) and avoid uploading PII. (4) Review the skillpay.me billing endpoint behavior and logs before providing SKILL_BILLING_API_KEY. - If you want higher assurance, ask the author to: update SKILL.md to accurately state when data is sent to OpenAI (what fields) and whether sample values are included; clarify exactly what user ID is sent to billing; and add an explicit opt-in that warns the user when their data will be included in prompts.

Capability Analysis

Type: OpenClaw Skill Name: ai-nl2sql Version: 1.0.1 The NL2SQL skill is a legitimate tool for querying CSV and Excel files using natural language. It uses OpenAI for SQL generation and pandasql for local, sandboxed execution on DataFrames. The skill includes a transparently documented billing mechanism via 'skillpay.me' (IOC: skillpay.me) that transmits a user identifier for per-call charging. Security features include a SQLValidator in scripts/parser.py that restricts execution to read-only SELECT statements, and no evidence of data exfiltration, unauthorized command execution, or malicious prompt injection was found.

Capability Tags

cryptocan-make-purchasesrequires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

The skill's code implements NL→SQL, local execution on pandas DataFrames, charting, and optional OpenAI-based SQL generation — which matches the description. However the registry metadata says there are no required env vars while SKILL.md and the code rely on SKILL_BILLING_API_KEY / SKILL_BILLING_SKILL_ID for billing. The SKILL.md claim 'No data leaves the user's environment' is inconsistent with the code path that calls OpenAI with a prompt containing the schema and sample values (i.e., user data will be sent to OpenAI when using PRO).

⚠ Instruction Scope

SKILL.md instructs running the CLI/API and states offline sandboxing. The code will (a) call SkillPay endpoints (skillpay.me) for billing and (b) call OpenAI when an API key is provided, sending a generated prompt that includes schema and sample values extracted from your files. That means file contents (at least schema and sample rows) leave the environment for AI generation — contradicting the security note in SKILL.md. The SKILL.md also states Feishu User ID may be transmitted for billing, but the code uses hard-coded user identifiers ('api_user'/'cli_user') in its calls; the doc and code are inconsistent here.

ℹ Install Mechanism

There is no install spec in the registry (instruction-only), but the package includes Python source and requirements.txt listing common libraries (pandas, openai, requests, matplotlib, pandasql). These are normal for the stated functionality and do not involve fetching code from untrusted URLs. Still, the presence of runnable code (not purely prose) means installation will place code on disk and installing dependencies may execute network activity when used.

⚠ Credentials

SKILL.md lists SKILL_BILLING_API_KEY and SKILL_BILLING_SKILL_ID as required env vars; the registry metadata lists none — mismatch. The billing API key (if set) is sent to skillpay.me as X-API-Key. The OpenAI API key is provided by the user via CLI/API (not via a declared env var), but when present prompts containing file schema and sample values are sent to OpenAI. If you provide a PRO API key, your file-derived data will be transmitted to OpenAI. Requiring a billing API key that will be sent to an external billing service is proportionate to the billed feature, but the documentation understates where data leaves the environment.

✓ Persistence & Privilege

The skill does not request elevated or persistent platform privileges. always:false and it does not modify other skills or global agent settings. It only reads files provided by the user, and uses environment vars for billing; it does not attempt to persist credentials to unrelated configs.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install ai-nl2sql
After installation, invoke the skill by name or use /ai-nl2sql
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

- Added a dedicated "Security Notes" section detailing SQL safety precautions, data isolation, and external data transmission practices. - Clarified that all AI-generated SQL is validated to block non-SELECT queries and only permit read-only operations. - Emphasized that SQL execution remains local, with no data transmission except for billing-related user ID. - No code or functional changes; documentation update only.

v1.0.0

- Initial release of ai-nl2sql skill: natural language to SQL queries for CSV and Excel files. - Supports plaintext questions, auto-generates SQL, and displays results with optional charts. - Command line and Python API both available. - Tiered features: FREE for basic/rule-based queries, PRO with AI (GPT-4) and expanded capabilities. - $0.01 per paid query via SkillPay integration. - Secure offline SQL execution in pandas; no real database connection needed.

Metadata

Slug ai-nl2sql

Version 1.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is AI NL2SQL?

Convert natural language questions into SQL queries on your uploaded CSV/Excel files, execute them offline, and return results with optional charts. It is an AI Agent Skill for Claude Code / OpenClaw, with 70 downloads so far.

How do I install AI NL2SQL?

Run "/install ai-nl2sql" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AI NL2SQL free?

Yes, AI NL2SQL is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does AI NL2SQL support?

AI NL2SQL is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AI NL2SQL?

It is built and maintained by YK-Global (@billjamno58); the current version is v1.0.1.

More Skills