← Back to Skills Marketplace
Php Sql Fixer
by
Xavier Mary
· GitHub ↗
· v1.0.0
· MIT-0
85
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install php-sql-fixer
Description
Detect SQL injection risks in PHP/Yaf projects and generate parameterized query fix patches. Scans for string concatenation in SQL, unsafe superglobal interp...
Usage Guidance
This package mostly contains a reasonable SQL-scanner for PHP/Yaf, but it appears incomplete and somewhat sloppy. Before installing or running it: 1) Do not run anything as root or against production code — test on a cloned repo. 2) Verify the missing file: look for scripts/suggest_fix.php (referenced in SKILL.md); if absent, ask the publisher or obtain the helper before relying on automatic fixes. 3) Remove or update the hard-coded docker-compose path in the docs — it references the author's machine and will fail on your machine. 4) Inspect scripts/scan_sql.sh yourself (it uses grep) — it performs only local file scanning and prints a report; there are no network calls in the included files. 5) If you plan to apply fixes, review each suggested change manually and run php -l and your test suite in a safe environment. If the missing helper is supplied later, re-run a security review on that file before use.
Capability Analysis
Type: OpenClaw Skill
Name: php-sql-fixer
Version: 1.0.0
The skill bundle is a legitimate security auditing tool designed to identify and suggest fixes for SQL injection vulnerabilities in PHP projects, specifically those using the Yaf framework. The 'scan_sql.sh' script uses grep to find common unsafe patterns like string concatenation and superglobal interpolation in SQL queries, while 'SKILL.md' and 'references/fix-patterns.md' provide clear instructions and documentation for an AI agent to triage and remediate these risks. Although the bundle contains a highly specific hardcoded path for a Docker configuration (/mnt/d/Users/Public/php20250819/docker-php7.3/docker-compose.yml), this appears to be an environment-specific setting for syntax verification rather than a malicious indicator. No evidence of data exfiltration, unauthorized execution, or prompt injection was found.
Capability Tags
Capability Assessment
Purpose & Capability
Name and description match the included scanner logic and fix-patterns documentation. The declared required binaries (bash, grep, php) mostly make sense for scanning and for the referenced PHP helper, but the code bundle only contains a bash scanner and the PHP suggestion script referenced in SKILL.md is not present — a mismatch between claimed capabilities and included files.
Instruction Scope
SKILL.md stays within the stated domain (scan, triage, generate fixes) but instructs running a PHP helper (suggest_fix.php) that is not included and contains a hard-coded, author-specific docker-compose path (/mnt/d/Users/Public/.../docker-php7.3/docker-compose.yml). The docker path is unrelated to the skill itself and reveals a host-specific command that won't work for most users; this suggests poor hygiene or incomplete packaging. Other instructions (open files, check superglobals, run curl tests) are appropriate for the task.
Install Mechanism
Instruction-only skill with no install spec and no remote downloads — low install risk. The only included executable artifact is a bash scanner script; nothing is written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are requested. The skill only requires local binaries (bash, grep, php) which are proportional to a source-code scanner and PHP helper.
Persistence & Privilege
always:false, user-invocable true, and no code that modifies other skills or system configs. The skill does not request persistent privileges or autoregistration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install php-sql-fixer - After installation, invoke the skill by name or use
/php-sql-fixer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of php-sql-fixer.
- Scans PHP/Yaf projects for SQL injection risks including string concatenation, unsafe superglobal use, and sprintf-based injection.
- Generates annotated before/after fix suggestions using parameterized query patterns.
- Supports PHP 7.3 and common Yaf DB conventions.
- Provides step-by-step workflow: scan, triage, suggest fixes, manual application, and verification.
- Includes fix pattern catalog and detailed false positive triage checklist.
Metadata
Frequently Asked Questions
What is Php Sql Fixer?
Detect SQL injection risks in PHP/Yaf projects and generate parameterized query fix patches. Scans for string concatenation in SQL, unsafe superglobal interp... It is an AI Agent Skill for Claude Code / OpenClaw, with 85 downloads so far.
How do I install Php Sql Fixer?
Run "/install php-sql-fixer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Php Sql Fixer free?
Yes, Php Sql Fixer is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Php Sql Fixer support?
Php Sql Fixer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Php Sql Fixer?
It is built and maintained by Xavier Mary (@xaviermary56); the current version is v1.0.0.
More Skills