← Back to Skills Marketplace
Dev Machine Database
by
alexmayanjun-collab
· GitHub ↗
· v1.0.0
· MIT-0
112
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install dev-machine-database
Description
通过 SSH 连接开发机 datax,查询 MySQL dw 库中的表结构、数据及统计信息,支持只读 select 操作并限制50条记录。
README (SKILL.md)
开发机数据库查询技能
功能
通过 SSH 连接到开发机 (datax),查询 MySQL 数据库中的 dw 库
触发词
- "去草坪上 dw 库看一下"
- "开发机 MySQL 查询"
- "查询 dw 库的 [表名]"
- "草坪上的 MySQL dw 库"
- "datax 数据库查询"
配置信息
开发机配置
- 主机名:
datax - 工作目录:
/mnt/www - 数据库类型: MySQL
- 数据库名:
dw(可能有多个:dw,dw库,data_warehouse等)
数据库连接
# 连接方式
ssh datax "mysql -u [用户] -p[密码] [数据库名] -e 'SQL 语句'"
# 或者直接登录
ssh datax "mysql -h localhost -u [用户] -p[密码]"
使用示例
示例 1:查看表列表
用户: "去草坪上 dw 库看一下有哪些表"
执行:
ssh datax "mysql -h localhost -u [用户] -p[密码] dw -e 'show tables;'"
回复: 表列表
示例 2:查询用户数据
用户: "查看 dw 库的 tr_user 有哪些用户"
执行:
ssh datax "mysql -h localhost -u [用户] -p[密码] dw -e 'select * from tr_user limit 50;'"
回复: 用户列表表格
示例 3:查询表结构
用户: "tr_user 表结构是什么样的"
执行:
ssh datax "mysql -h localhost -u [用户] -p[密码] dw -e 'desc tr_user;'"
回复: 表结构详情
示例 4:统计信息
用户: "dw 库的 tr_user 表有多少条数据"
执行:
ssh datax "mysql -h localhost -u [用户] -p[密码] dw -e 'select count(*) from tr_user;'"
回复: 数据统计
数据库信息
可能的数据库名
| 数据库名 | 说明 |
|---|---|
dw |
数据仓库主库 |
dw库 |
中文别名 |
data_warehouse |
英文全称 |
sg_alith_sync_fle_tra |
泰国项目库 |
常见表
| 表名 | 说明 |
|---|---|
tr_user |
用户表 |
tr_order |
订单表 |
tr_store |
门店表 |
tr_client |
客户表 |
执行流程
-
接收查询指令
- 解析用户意图
- 提取数据库名、表名、查询条件
-
构建 SQL 语句
- 根据意图生成对应 SQL
- 添加 LIMIT 限制(默认 50 条)
-
SSH 执行
- 连接到 datax 开发机
- 执行 MySQL 查询
- 获取结果
-
格式化输出
- 表格形式展示
- 添加统计信息
- 发送到飞书
安全注意事项
- 只读操作 - 只执行 SELECT 查询,不执行 INSERT/UPDATE/DELETE
- LIMIT 限制 - 默认 LIMIT 50,避免大数据量
- 密码保护 - MySQL 密码不输出到日志
- 权限控制 - 只查询授权的数据库和表
相关文件
- 技能位置:
~/.openclaw/workspace/skills/dev-machine-database/SKILL.md - 脚本位置:
~/.openclaw/workspace/skills/dev-machine-database/query_db.py - 配置位置:
~/.openclaw/workspace/TOOLS.md(开发机配置)
更新日志
2026-03-04
- ✅ 创建技能
- ✅ 支持 MySQL 查询
- ✅ 集成飞书发送
- ✅ 支持多种触发词
Usage Guidance
Do not install or run this skill without remediation. Specific concerns:
- The included script contains hard-coded DB credentials (root / "123456") and assumes SSH access to a host named 'datax' and a Docker 'mysql' container. The skill metadata does not declare any credentials or secrets — this is inconsistent and unsafe.
- The script builds shell commands from user-supplied names/SQL and calls ssh subprocesses directly, which can allow command injection and arbitrary remote command execution if inputs are not strictly validated.
- SKILL.md mentions sending results to Feishu and config files that are not provided; clarify where external integrations and secrets will be stored.
What to ask the author or change before use:
- Remove hard-coded credentials; require secrets be provided via declared env vars or a secure secrets store and document required SSH credentials explicitly.
- Sanitize/whitelist table names and disallow arbitrary SQL that could lead to shell injection; enforce read-only checks server-side where possible.
- Provide clear install/config instructions for SSH keys or agent forwarding, and disclose any external integrations (Feishu) with required tokens.
- Rotate any exposed credentials immediately if they were real, and consider not running this skill on production systems.
If you cannot get these changes, classify the skill as unsafe to enable because it can leak credentials or execute unintended commands on your development host.
Capability Analysis
Type: OpenClaw Skill
Name: dev-machine-database
Version: 1.0.0
The skill bundle contains a Python script (query_db.py) with a critical shell injection vulnerability in the query_mysql_docker function, where SQL strings are directly interpolated into a command string executed via SSH on a remote host (datax). It also includes hardcoded database credentials (root:123456). While these represent significant security risks (Remote Code Execution), they appear to be unintentional flaws in a developer utility rather than intentional malware.
Capability Assessment
Purpose & Capability
The skill claims only to perform read-only SELECTs over SSH to host 'datax', which is consistent with the examples. However the included script embeds a MySQL root username and a plaintext password and assumes a Docker container name. The skill declares no required env vars or credentials even though it clearly needs SSH access and DB credentials; that mismatch is a coherence problem.
Instruction Scope
SKILL.md instructs making SSH calls and running mysql commands (expected), but also references sending results to Feishu and workspace config files that aren't present. The script builds shell commands directly from inputs (table/where/sql) and then passes them to ssh subprocess calls without sanitization, creating command-injection risk and scope creep beyond simple safe SELECTs.
Install Mechanism
No install spec (instruction-only plus an included script) — lowest install risk. However a shipped code file contains plaintext DB credentials and will be stored on disk when installed, which is a risk even though there's no installer downloading remote code.
Credentials
The skill requests no environment variables or primary credential in its metadata, yet the code requires SSH access to 'datax' and hard-codes MYSQL_USER and MYSQL_PASSWORD. Requesting root DB credentials (and storing them in code) is disproportionate and not documented in the manifest. The skill also assumes presence of 'docker' on the remote host and an accessible 'mysql' container.
Persistence & Privilege
always is false and the skill does not request permanent agent-wide privileges. There is no evidence it modifies other skills or global config. Autonomous invocation is allowed by default, which is normal, but combine this with the other concerns when deciding whether to enable.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install dev-machine-database - After installation, invoke the skill by name or use
/dev-machine-database - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
dev-machine-database v1.0.0
- 初始版本发布,支持通过 SSH 查询开发机 (datax) 上 MySQL 的 dw 数据库。
- 支持多种中文、英文自然语言触发词。
- 默认只读操作,所有查询默认 LIMIT 50 条,确保安全。
- 查询结果表格自动发送到飞书。
- 覆盖常见指令:查表、查结构、查数据量。
Metadata
Frequently Asked Questions
What is Dev Machine Database?
通过 SSH 连接开发机 datax,查询 MySQL dw 库中的表结构、数据及统计信息,支持只读 select 操作并限制50条记录。 It is an AI Agent Skill for Claude Code / OpenClaw, with 112 downloads so far.
How do I install Dev Machine Database?
Run "/install dev-machine-database" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Dev Machine Database free?
Yes, Dev Machine Database is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Dev Machine Database support?
Dev Machine Database is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Dev Machine Database?
It is built and maintained by alexmayanjun-collab (@alexmayanjun-collab); the current version is v1.0.0.
More Skills