← Back to Skills Marketplace
364
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install oceanbase-datapilot
Description
面向所有问数与数据分析场景,基于 DataPilot 的 OpenAPI 执行从数据源接入到数据问答的完整流程。用于自然语言查数、SQL 查询校验、图表生成、报告导出下载、创建与管理数据分析 Agent、维护 Agent 知识库。
Usage Guidance
This skill is coherent with its stated purpose (a Node CLI for DataPilot) but the bundled script writes persistent logs and explicitly logs the DATAPILOT_API_KEY value into dataagent_cli.log. Before installing or running: 1) Do not supply a high-privilege/long-lived API key — create a least-privilege key you can rotate. 2) Inspect or modify dataagent_openapi_cli.mjs to remove or sanitize keyenv logging (replace raw key with sanitized value or remove the field). 3) Run the script in an isolated environment (ephemeral container or sandbox) if you must test it, and ensure the logfile is not included in backups or synced locations. 4) Consider deleting or securing dataagent_cli.log after use and rotating the API key if it was exposed. If the author can clarify why the raw API key is logged and remove that behavior, the risk would be substantially reduced.
Capability Analysis
Type: OpenClaw Skill
Name: oceanbase-datapilot
Version: 1.0.1
The skill bundle contains significant security vulnerabilities in 'dataagent_openapi_cli.mjs' that could be exploited. Specifically, the script logs the raw 'DATAPILOT_API_KEY' to a local file ('dataagent_cli.log') within the 'getAuthHeaders' function, despite having sanitization logic elsewhere. Furthermore, the 'create-instance' command facilitates arbitrary file reading and uploading via the '--sqlite-file' argument without path validation, potentially allowing an attacker to exfiltrate sensitive system files if the AI agent is manipulated. While these appear to be unintentional design flaws rather than intentional malware, they pose a high risk.
Capability Assessment
Purpose & Capability
Name/description, required binary (node), and required env vars (DATAPILOT_API_URL, DATAPILOT_API_KEY) align with the included CLI script that calls a DataPilot OpenAPI (create-instance, ask, list-agents, knowledge management). Requested resources (API URL + key, ability to read user-provided datasource files) are proportional to the stated purpose.
Instruction Scope
SKILL.md instructs running the included node script and supplying datasource files; the runtime code reads user-supplied files (datasource JSON, sqlite .db) which is expected. However, the SKILL.md does not mention that the CLI will write a persistent log file in the skill directory or that it logs authentication material. The code calls writeLog() frequently and in getAuthHeaders() it passes keyenv: process.env.DATAPILOT_API_KEY (the raw API key) to the logger, which is a mismatch with the documentation and a potential secret-exposure vector.
Install Mechanism
There is no install spec (instruction-only + included node script). That is low-risk in terms of external code downloads. The included JS file will be executed with node; no external archive downloads or third-party package installs are present in the bundle.
Credentials
Requiring DATAPILOT_API_URL and DATAPILOT_API_KEY is appropriate for an API client. However, the code logs environment and argument data to a local log file and — crucially — writes the raw DATAPILOT_API_KEY into logs (getAuthHeaders calls writeLog with keyenv: process.env.DATAPILOT_API_KEY). Even partial exposure or local logging of secrets is disproportionate and increases risk if the logfile is accessible, synced, or exfiltrated.
Persistence & Privilege
always:false and the skill does not request system-wide privileges or modify other skills. It does create/append a local logfile (dataagent_cli.log) in the script directory, which is persistent on disk; this persistent logging combined with credential logging is the main concern but does not indicate elevated platform privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install oceanbase-datapilot - After installation, invoke the skill by name or use
/oceanbase-datapilot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
oceanbase-datapilot 1.0.1
- Updated CLI usage examples in documentation to remove redundant --base-url and unify command formats.
- Minor documentation refinements for clarity and consistency.
- No changes to command set or APIs.
v1.0.0
Initial release of oceanbase-datapilot skill.
- Provides end-to-end data analysis workflow using DataPilot OpenAPI, from data source connection to natural language Q&A.
- Supports DataAgent creation, SQL validation, chart generation, report export, and knowledge management.
- CLI tool enables creating agents, asking data questions, listing agents, and managing agent knowledge.
- Compatible with multiple data sources: SQLite, MySQL, PostgreSQL, ODPS, and OBO Oracle.
- Requires Node.js and configuration of DATAPILOT_API_URL and DATAPILOT_API_KEY environment variables.
Metadata
Frequently Asked Questions
What is datapilot?
面向所有问数与数据分析场景,基于 DataPilot 的 OpenAPI 执行从数据源接入到数据问答的完整流程。用于自然语言查数、SQL 查询校验、图表生成、报告导出下载、创建与管理数据分析 Agent、维护 Agent 知识库。 It is an AI Agent Skill for Claude Code / OpenClaw, with 364 downloads so far.
How do I install datapilot?
Run "/install oceanbase-datapilot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is datapilot free?
Yes, datapilot is completely free (open-source). You can download, install and use it at no cost.
Which platforms does datapilot support?
datapilot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created datapilot?
It is built and maintained by HSunboy (@hsunboy); the current version is v1.0.1.
More Skills