← Back to Skills Marketplace

Lucid Skill

Name: Lucid Skill
Author: wenkang-xie

by wenkang-xie · GitHub ↗ · v2.0.0 · MIT-0

cross-platform ⚠ suspicious

223

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install lucid-skill

Description

AI-native data analysis via natural language. Connect Excel, CSV, MySQL, PostgreSQL data sources and query with SQL. Use when: (1) user asks to query, analyz...

README (SKILL.md)

lucid-skill

Connect data → infer semantics → query with natural language → get answers.

All output is JSON unless noted. No API key needed.

Quick Start

lucid-skill connect csv /path/to/sales.csv     # Connect data
lucid-skill overview                            # Check connected sources
lucid-skill search "月度销售额趋势"              # Find relevant tables + suggested SQL
lucid-skill query "SELECT month, SUM(amount) FROM sales GROUP BY month"  # Execute

Core Commands

Command	Purpose
`overview`	Show all connected sources, tables, semantic status
`connect csv/excel/mysql/postgres`	Connect a data source
`tables`	List all tables with row counts
`describe \x3Ctable>`	Column details + sample data + semantics
`profile \x3Ctable>`	Deep stats: null rate, distinct, min/max, quartiles
`init-semantic`	Export schemas for semantic inference
`update-semantic \x3Cfile\|->`	Save semantic definitions (JSON from file or stdin)
`search \x3Cquery> [--top-k N]`	Natural language → relevant tables + JOIN hints + metric SQL
`join-paths \x3Ca> \x3Cb>`	Discover JOIN paths between two tables
`domains`	Auto-discovered business domains
`query \x3Csql> [--format json\|md\|csv]`	Execute read-only SQL
`serve`	Start MCP Server (stdio JSON-RPC)

For full command reference with all parameters: read references/commands.md

Smart Query Pattern (Recommended)

When a user asks a data question:

lucid-skill search "关键词" — find relevant tables, suggestedJoins, suggestedMetricSqls
If multi-table: lucid-skill join-paths table_a table_b — get JOIN SQL
Compose SQL from the returned context
lucid-skill query "SELECT ..." — execute and present results

Semantic Layer Setup

First-time setup to enable intelligent search:

lucid-skill init-semantic                               # Export schemas
# Analyze output → infer business meanings for each column
echo '{"tables":[...]}' | lucid-skill update-semantic -  # Save semantics

For JSON schema details: read references/json-schema.md

Key Tips

Auto-restore: Previous connections survive restarts. Always overview first to check existing state.
Read-only: Only SELECT allowed. INSERT/UPDATE/DELETE/DROP are blocked.
Semantic files: Stored in ~/.lucid-skill/semantic_store/ (YAML, human-readable).
Data directory: ~/.lucid-skill/ (override with LUCID_DATA_DIR env var).
Embedding: Set LUCID_EMBEDDING_ENABLED=true for better multilingual search (downloads ~460 MB model on first use).
No credentials stored: Database passwords are never written to disk.
MCP mode: lucid-skill serve starts stdio JSON-RPC server for MCP integrations.

Detailed References

references/commands.md — Full CLI command reference with all parameters
references/json-schema.md — update-semantic JSON format specification
references/workflow.md — Multi-step workflow guides (first-time setup, returning sessions, multi-source)

Usage Guidance

This skill appears to do what it says: a read-only data exploration CLI and MCP server. Before installing or connecting sensitive data: 1) Verify the package source for 'lucid-skill' (the uv install) and prefer pinned releases from a trusted registry. 2) Inspect startup.auto_restore_connections (or try a dry run) to confirm DB passwords are not persisted and to see which connections are auto-restored. 3) Be aware that enabling embeddings downloads a large model from the network — confirm the model source and allow adequate disk space. 4) Avoid passing untrusted/remote-controlled file paths; some connectors interpolate paths into SQL with simple f-strings and may behave incorrectly with specially crafted paths (e.g., containing single quotes). 5) Run the tool in an isolated environment or container if you intend to connect production databases. 6) If you do not want the agent to call the skill autonomously, restrict invocation policies in your agent/platform. If you want, I can: point to the exact lines that interpolate paths/identifiers, summarize startup.auto_restore behavior if you provide startup.py, or produce a short checklist to harden local deployment.

Capability Analysis

Type: OpenClaw Skill Name: lucid-skill Version: 2.0.0 The skill provides a data analysis framework for AI agents but contains multiple SQL injection vulnerabilities due to a lack of input sanitization. In files such as `lucid_skill/connectors/csv_conn.py`, `lucid_skill/connectors/excel_conn.py`, and `lucid_skill/catalog/profiler.py`, external inputs like file paths, sheet names, and table names are interpolated directly into SQL strings for the internal DuckDB engine. Furthermore, the SQL safety checker in `lucid_skill/query/safety.py` uses a naive regex-based approach to strip string literals, which may be bypassable in certain SQL dialects. While these appear to be unintentional security flaws rather than intentional malware, they represent a significant attack surface for prompt injection or malicious data sources.

Capability Assessment

✓ Purpose & Capability

Name/description match the code and runtime instructions: a CLI/MCP tool that connects CSV/Excel and relational DBs, builds a DuckDB-backed catalog, offers semantic search and read-only SQL. Required binary 'lucid-skill' and the listed install step align with providing this CLI.

ℹ Instruction Scope

SKILL.md limits scope to read-only SELECT/WITH queries and describes connecting local files and DBs and starting an MCP stdio server. This matches the source: the CLI and server handlers expose tools to connect sources, list/describe tables, and execute queries. Two items to note: (1) the CLI/server persist a catalog and semantic files under ~/.lucid-skill/ and advertises 'auto-restore' of previous connections — but passwords are claimed not to be stored (see environment_proportionality). (2) Several code paths interpolate file paths and SQL identifiers into DuckDB SQL via Python f-strings (e.g., read_csv_auto('path') and read_xlsx('path')), which can be brittle if inputs contain unexpected characters (single quotes) and could result in local SQL parsing issues or unintended behavior; this is a coding/escaping vulnerability rather than evidence of malicious intent.

✓ Install Mechanism

Install spec uses a 'uv' package install of 'lucid-skill' and the skill bundle includes full Python source and a pyproject. There are no opaque remote-download URLs or URL shorteners in the install spec. The install approach is proportionate for a CLI tool; verify the uv package source/trust before installing.

ℹ Credentials

The skill declares no required environment variables or credentials, which is consistent. It documents optional env vars (LUCID_DATA_DIR, LUCID_EMBEDDING_ENABLED). Database credentials are accepted at connect-time (CLI options / tool params) and the CatalogStore strips 'password' before writing source config. Two cautions: (1) the 'auto-restore' feature raises the question of how DB connections are re-established without stored passwords — startup logic may attempt to restore only file-based sources or may fail for DBs (the code can surface failures). (2) Enabling embeddings triggers a large (~460 MB) model download from external model hosts when enabled; that requires network access and disk space and should be acceptable only if you trust the model source.

ℹ Persistence & Privilege

The skill persists a catalog and semantic YAML under ~/.lucid-skill/ (configurable via LUCID_DATA_DIR), and may download models into a models cache. It does not request elevated OS privileges or set always:true. The MCP server runs over stdio for integrations (expected) — be aware that autonomous agent invocation will allow the agent to call the tool handlers to access local files and databases if you grant it access.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install lucid-skill
After installation, invoke the skill by name or use /lucid-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.0

Python rewrite: TS→Python, DuckDB unified storage, zero native compilation, install via pip/uv

v1.0.1

Initial ClawHub release: AI-native data analysis, skill-creator spec compliant

Metadata

Slug lucid-skill

Version 2.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is Lucid Skill?

AI-native data analysis via natural language. Connect Excel, CSV, MySQL, PostgreSQL data sources and query with SQL. Use when: (1) user asks to query, analyz... It is an AI Agent Skill for Claude Code / OpenClaw, with 223 downloads so far.

How do I install Lucid Skill?

Run "/install lucid-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Lucid Skill free?

Yes, Lucid Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Lucid Skill support?

Lucid Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Lucid Skill?

It is built and maintained by wenkang-xie (@wenkang-xie); the current version is v2.0.0.

More Skills