← Back to Skills Marketplace
100
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install cshi
Description
extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis.
README (SKILL.md)
\r \r
URL Parameter Saver\r
\r This skill extracts parameters from a provided URL and saves them into a MySQL database. If the table does not exist, it will be created automatically. Currently supports single URL processing.\r \r
Usage\r
\r
- Call the
save_url_params.pyscript with a URL.\r - The script parses the query parameters and inserts them as a new row in the database.\r
- Each URL's parameters are saved in independent rows.\r \r
Database\r
\r
- Database type: MySQL\r
- Table name:
url_parameters\r - Columns: dynamically matched to URL parameter names
Usage Guidance
This skill contains legitimate functionality but has important problems you should address before installing or running it:
- Do not run this against production or sensitive databases yet. The code will create tables and add columns based on URL parameter names.
- The script uses environment variables DB_HOST/DB_USER/DB_PASSWORD/DB_NAME but the skill metadata and README do not declare them. Ensure you supply credentials only for a safe, isolated test database.
- Major security issue: column names are built directly from URL parameter names and interpolated into CREATE TABLE and INSERT SQL without quoting or validation. An attacker-controlled URL could cause SQL syntax errors or SQL injection via crafted identifier names. Fix by validating/whitelisting parameter names, quoting identifiers safely (e.g., backticks after strict validation), or mapping parameter names to safe column names.
- Add explicit dependency documentation: require Python and mysql-connector-python (or equivalent), and include instructions for installing them.
- Consider changing design: instead of dynamic columns, store parameters as key/value rows or a JSON column to avoid dynamic identifier creation.
If you cannot review and fix the code yourself, treat the skill as unsafe for use with any database that contains sensitive data or production credentials.
Capability Analysis
Type: OpenClaw Skill
Name: cshi
Version: 1.0.0
The skill contains critical SQL injection vulnerabilities in scripts/save_url_params.py. The script dynamically constructs SQL 'CREATE TABLE' and 'INSERT' statements using f-strings that incorporate unsanitized keys directly from URL query parameters. An attacker could exploit this by providing a crafted URL to execute arbitrary SQL commands or manipulate the database schema. However, because the code's behavior aligns with its stated purpose and lacks evidence of intentional malice or data exfiltration, it is classified as suspicious rather than malicious.
Capability Assessment
Purpose & Capability
The skill's stated purpose (save URL query parameters to MySQL) matches the included script. However the SKILL metadata claims no required environment variables or binaries, while the script relies on DB_HOST/DB_USER/DB_PASSWORD/DB_NAME environment variables and the Python mysql.connector module. Those omissions are incoherent with the claimed requirements.
Instruction Scope
SKILL.md simply instructs running the Python script with a URL. The script will read DB connection environment variables (even though SKILL.md/metadata don't declare them) and create tables/columns derived directly from URL parameter names. The instructions do not warn about or constrain what parameter names may be used, nor do they instruct any sanitization or safe DB target (e.g., not to run against production).
Install Mechanism
There is no install spec (instruction-only), which reduces install-supply risk. However the script depends on Python and the mysql.connector library (mysql-connector-python) which are not declared. That omission can cause execution failures and hides the true runtime surface.
Credentials
The script expects database credentials via environment variables (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) and provides insecure defaults (root/root on localhost/test_db). Those credentials are not declared in requires.env or documentation. Requesting DB credentials is proportionate to the task, but failing to declare them and using privileged defaults is concerning.
Persistence & Privilege
The skill does not request persistent privileges (always:false), does not modify other skills, and only performs DB writes as its intended action. No platform-level privilege escalation is apparent.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install cshi - After installation, invoke the skill by name or use
/cshi - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the URL Parameter Saver skill.
- Extracts query parameters from a given URL.
- Saves extracted parameters into a MySQL database.
- Automatically creates the 'url_parameters' table if it doesn't exist.
- Supports processing one URL at a time.
- Table columns are dynamically matched to URL parameter names.
Metadata
Frequently Asked Questions
What is lin?
extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis. It is an AI Agent Skill for Claude Code / OpenClaw, with 100 downloads so far.
How do I install lin?
Run "/install cshi" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is lin free?
Yes, lin is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does lin support?
lin is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created lin?
It is built and maintained by 番茄番茄番茄范 (@lin-shiwu); the current version is v1.0.0.
More Skills