← Back to Skills Marketplace
83
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install migratesafe
Description
Database migration safety checker — catches destructive migrations before they reach production
README (SKILL.md)
\r \r
MigrateSafe — Database Migration Safety Checker\r
\r MigrateSafe analyzes database migration files for destructive operations before they reach production. It detects DROP TABLE, column removals, risky type changes, missing rollbacks, lock hazards, and unsafe ALTER operations across raw SQL, Rails, Django, Knex.js, Prisma, Flyway, and Liquibase migrations. It uses regex-based pattern matching with risk scoring and produces compliance reports.\r \r
Commands\r
\r
Free Tier (No license required)\r
\r
migratesafe scan [file|directory]\r
One-shot scan of migration files for destructive operations.\r \r How to execute:\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" scan [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Auto-detects migration framework (SQL, Rails, Django, Knex, Prisma, Flyway, Liquibase)\r
3. Finds all migration files in standard locations (db/migrate, migrations/, prisma/migrations, sql/)\r
4. Runs 15+ destructive operation patterns against each file\r
5. Calculates a risk score (0-100) per file and overall\r
6. Outputs findings with: file, line number, severity, operation, recommendation\r
7. Exit code 0 if safe, exit code 1 if critical/high risk operations detected\r
8. Free tier limited to 3 migration files per scan\r
\r
**Example usage scenarios:**\r
- "Check my migrations for destructive operations" -> runs `migratesafe scan .`\r
- "Is this migration safe to deploy?" -> runs `migratesafe scan db/migrate/20240115_add_users.sql`\r
- "Scan my SQL files for DROP statements" -> runs `migratesafe scan migrations/`\r
\r
#### `migratesafe help`\r
Show available commands and usage information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" help\r
```\r
\r
#### `migratesafe version`\r
Show version information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" version\r
```\r
\r
### Pro Tier ($19/user/month -- requires MIGRATESAFE_LICENSE_KEY)\r
\r
#### `migratesafe hooks install`\r
Install git pre-commit hooks that scan staged migration files before every commit.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" hooks install\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Copies lefthook config to project root\r
3. Installs lefthook pre-commit hook\r
4. On every commit: scans all staged migration files, blocks commit if critical/high risk, shows remediation advice\r
\r
#### `migratesafe hooks uninstall`\r
Remove MigrateSafe git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" hooks uninstall\r
```\r
\r
#### `migratesafe rollback-check [directory]`\r
Verify that every UP migration has a corresponding DOWN/rollback migration.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" rollback-check [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Scans migration directories for UP migrations\r
3. Checks for corresponding rollback/down files or reversible blocks\r
4. Reports missing rollbacks with severity assessment\r
\r
#### `migratesafe diff \x3Cfile1> \x3Cfile2>`\r
Compare two schema versions and highlight dangerous changes.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" diff schema_v1.sql schema_v2.sql\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Compares two SQL schema files\r
3. Identifies dropped tables, removed columns, type changes\r
4. Shows side-by-side diff with risk annotations\r
\r
### Team Tier ($39/user/month -- requires MIGRATESAFE_LICENSE_KEY with team tier)\r
\r
#### `migratesafe history [directory]`\r
Show migration risk history across all migrations in the project.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" history [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Scans all migration files chronologically\r
3. Builds a risk timeline showing when dangerous migrations were introduced\r
4. Reports cumulative risk score and trends\r
\r
#### `migratesafe report [directory]`\r
Generate a full compliance report in markdown format.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/migratesafe.sh" report [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs full scan of all migration files\r
3. Generates a formatted markdown report from template\r
4. Includes per-file breakdowns, risk scores, recommendations, rollback status\r
5. Output suitable for compliance audits and change advisory boards\r
\r
## Detected Destructive Operations\r
\r
MigrateSafe detects 15+ destructive patterns across 7 migration frameworks:\r
\r
| Category | Examples | Severity |\r
|----------|----------|----------|\r
| **Table Drops** | DROP TABLE, drop_table, DeleteModel, dropTable | Critical |\r
| **Truncation** | TRUNCATE TABLE, unconditional DELETE FROM | Critical |\r
| **Column Drops** | DROP COLUMN, remove_column, RemoveField, dropColumn | High |\r
| **Type Changes** | ALTER COLUMN...TYPE, change_column, AlterField | High |\r
| **Constraint Removal** | DROP CONSTRAINT, DROP INDEX, RemoveConstraint, remove_index | High |\r
| **NOT NULL Additions** | SET NOT NULL (without DEFAULT), add non-null column | Medium |\r
| **Missing Transactions** | Migrations not wrapped in BEGIN/COMMIT | Medium |\r
| **Lock Hazards** | CREATE INDEX (without CONCURRENTLY), ALTER TABLE on large tables | Medium |\r
| **Cascade Deletes** | ON DELETE CASCADE, CASCADE changes | Medium |\r
| **Column Renames** | RENAME COLUMN, rename_column, RenameField | Low |\r
| **Data Loss Risk** | REPLACE operations, ON DELETE SET NULL changes | Low |\r
\r
## Supported Migration Frameworks\r
\r
| Framework | File Pattern | Detection |\r
|-----------|-------------|-----------|\r
| **Raw SQL** | *.sql | Full SQL pattern matching |\r
| **Rails** | db/migrate/*.rb | remove_column, drop_table, change_column, etc. |\r
| **Django** | migrations/*.py | RemoveField, DeleteModel, AlterField, etc. |\r
| **Knex.js** | migrations/*.js/*.ts | dropTable, dropColumn, raw.*DROP, etc. |\r
| **Prisma** | prisma/migrations/*.sql | Full SQL pattern matching |\r
| **Flyway** | sql/V*.sql | Full SQL pattern matching |\r
| **Liquibase** | *.xml changesets | dropTable, dropColumn, modifyDataType, etc. |\r
\r
## Configuration\r
\r
Add to `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
"skills": {\r
"entries": {\r
"migratesafe": {\r
"enabled": true,\r
"apiKey": "YOUR_LICENSE_KEY",\r
"config": {\r
"severityThreshold": "high",\r
"migrationDirs": ["db/migrate", "migrations", "prisma/migrations", "sql"],\r
"ignorePatterns": ["**/test/**", "**/seed/**"],\r
"requireRollbacks": true,\r
"blockOnCritical": true\r
}\r
}\r
}\r
}\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately -- no configuration needed\r
- **All scanning happens locally** -- no code or schema data sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Supports multiple migration frameworks in the same project\r
- Risk scores are cumulative -- a file with multiple issues scores higher\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = safe, 1 = dangerous operations detected (for CI/CD integration)\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries `hooks install`, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://migratesafe.pages.dev/renew\r
- If no migration files found in target, report clean scan with info message\r
- If a file is binary, skip it automatically with no warning\r
- If migration framework cannot be determined, fall back to raw SQL pattern matching\r
\r
## When to Use MigrateSafe\r
\r
The user might say things like:\r
- "Check my migrations for destructive operations"\r
- "Is this migration safe to run?"\r
- "Scan for DROP TABLE statements"\r
- "Verify my rollback migrations exist"\r
- "Generate a migration safety report"\r
- "Set up pre-commit hooks for migrations"\r
- "Check if this schema change is dangerous"\r
- "Block destructive migrations from being committed"\r
- "Compare two schema versions"\r
- "Show migration risk history"\r
Usage Guidance
This package appears to do exactly what it claims: local regex-based scanning of migration files plus optional git hook installation. Before installing: 1) If you plan to use hooks, be prepared for the tool to create or append to lefthook.yml in your repo root (it runs lefthook install). 2) The Pro/Team features require a MIGRATESAFE_LICENSE_KEY (stored in env or ~/.openclaw/openclaw.json); the license validator can optionally verify JWT signatures if you set CLAWHUB_JWT_SECRET — do not set secrets you don't trust. 3) The tool may call optional binaries (node, openssl) if present; no network calls or exfiltration are present in the shipped scripts. If you want maximal control, inspect scripts/analyzer.sh and scripts/license.sh locally before enabling hooks or setting a license key.
Capability Analysis
Type: OpenClaw Skill
Name: migratesafe
Version: 1.0.2
MigrateSafe is a legitimate static analysis tool designed to detect destructive database migrations (e.g., DROP TABLE, column removals) across various frameworks like Rails, Django, and Prisma. The skill bundle operates entirely locally, using regex-based pattern matching in `patterns.sh` and `analyzer.sh` to identify risks. It includes standard developer features such as git hook integration via `lefthook` and an offline JWT-based license validation system in `license.sh`. No evidence of data exfiltration, malicious prompt injection, or unauthorized network activity was found; the code's behavior is consistent with its stated purpose.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (database migration safety checking) aligns with the shipped scripts, patterns, and CLI commands. Required binaries (git, bash, python3, jq) are used by the scripts. The brew install of lefthook matches the documented behavior for installing pre-commit hooks.
Instruction Scope
Runtime instructions and SKILL.md are narrowly scoped to scanning migration files, installing/removing lefthook hooks, and generating reports. The pre-commit hook will source the packaged patterns and analyzer scripts from the skill directory and run a local scan on staged files; it does not perform network calls. Note: the tool reads ~/.openclaw/openclaw.json for configuration/license, which is declared in metadata.
Install Mechanism
Install spec only pulls in lefthook via Homebrew (formula: lefthook) which is an expected dependency for git hook integration. There are no downloads from unknown URLs or extract-and-run archive steps in the package.
Credentials
Primary credential MIGRATESAFE_LICENSE_KEY is appropriate for the Pro/Team features. The license code optionally looks for CLAWHUB_JWT_SECRET (to verify JWT signatures) and may invoke node/openssl if available; CLAWHUB_JWT_SECRET is not declared in requires.env (it's optional), and node/openssl are optional runtime helpers — this is not required for normal operation but is worth being aware of.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The hooks install command will create or append to a repository-level lefthook.yml and run lefthook install — this modifies repo configuration (expected for a hooks tool). The skill does not request permanent platform-wide privileges or modify other skills' configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install migratesafe - After installation, invoke the skill by name or use
/migratesafe - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Fix: POSIX ERE regex compliance, declare all deps, JWT verification
v1.0.0
Initial release of migratesafe — a database migration safety checker.
- Scans migration files for destructive operations like DROP TABLE, column removals, risky type changes, and more.
- Supports major frameworks: raw SQL, Rails, Django, Knex.js, Prisma, Flyway, and Liquibase.
- Provides risk scoring, detailed findings, and compliance reports.
- Offers free tier scanning (up to 3 files), with Pro/Team tiers for git hooks, rollback checks, schema diffing, risk history, and markdown compliance reports.
- Local scanning with no data sent externally; supports offline license validation.
Metadata
Frequently Asked Questions
What is migratesafe?
Database migration safety checker — catches destructive migrations before they reach production. It is an AI Agent Skill for Claude Code / OpenClaw, with 83 downloads so far.
How do I install migratesafe?
Run "/install migratesafe" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is migratesafe free?
Yes, migratesafe is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does migratesafe support?
migratesafe is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created migratesafe?
It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.2.
More Skills