← Back to Skills Marketplace
1138
Downloads
1
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install postgres-db
Description
PostgreSQL 数据库操作技能。用于执行SQL查询、表管理、备份恢复、性能监控等数据库操作。触发条件:用户提到 PostgreSQL、postgres、数据库查询、SQL查询、表结构、数据库备份等。
Usage Guidance
This skill appears to implement the PostgreSQL features it claims, but before installing: (1) note the registry metadata omits required PG environment variables — the scripts expect PGHOST/PGPORT/PGDATABASE/PGUSER/PGPASSWORD, so supply only a least-privileged DB user. (2) Ensure pg_dump/pg_restore and psycopg2 are installed on the host; the scripts use subprocess to call pg_dump and will fail if absent. (3) Backups are written to disk (backup_dir) — verify the directory, permissions, and retention policy so backups are not exposed. (4) Review the scripts yourself if you don't fully trust the source: they execute arbitrary SQL and run pg_restore/pg_dump, which can modify or drop data when run with sufficient privileges. (5) If you plan to allow the agent to invoke autonomously, restrict credentials and consider creating a dedicated read/backup role (avoid superuser) to limit blast radius.
Capability Analysis
Type: OpenClaw Skill
Name: postgres-db
Version: 1.0.0
The skill is classified as suspicious due to several critical vulnerabilities. The `scripts/query.py` file directly executes arbitrary SQL queries provided as command-line arguments, creating a significant SQL injection risk if an AI agent constructs these queries from untrusted user input. Additionally, `scripts/backup.py` executes external `pg_dump` and `pg_restore` commands with arguments derived from user input, which could lead to argument injection or unintended file operations. The `scripts/schema_export.py` script also presents a file write vulnerability by allowing the output path to be specified arbitrarily, potentially overwriting sensitive files. While these are not explicitly malicious actions, they are severe flaws that could be exploited for unauthorized database access, data manipulation, or system compromise.
Capability Assessment
Purpose & Capability
The name/description, SKILL.md and included scripts all align with PostgreSQL tasks (query execution, schema export, backup/restore). However the registry metadata lists no required environment variables while the SKILL.md and scripts clearly expect PGHOST/PGPORT/PGDATABASE/PGUSER/PGPASSWORD — an inconsistency that should be resolved.
Instruction Scope
Runtime instructions are scoped to database operations and reference running the included Python scripts and PostgreSQL tools (pg_dump/pg_restore). The scripts read environment variables, write backup files to disk, and execute SQL — they do not call external network endpoints or exfiltrate data. One small mismatch: SKILL.md mentions 'performance monitoring' but there is no dedicated monitoring script; monitoring would be performed via queries (EXPLAIN, pg_stat_*), which is supported via query.py but not separately implemented.
Install Mechanism
No install spec is provided (instruction-only install), so nothing is downloaded or written by an installer. The package includes Python scripts; risk comes from executing them, but there is no remote install URL or archive to fetch.
Credentials
The scripts legitimately require database connection credentials (PG* env vars). That access is proportionate to the stated purpose. The concern is the metadata omission of these env vars (metadata declares none), and the fact that PGPASSWORD is sensitive — you should only provide least-privilege credentials and verify where backups are stored and who can access them.
Persistence & Privilege
The skill is not force-included (always: false) and does not request persistent system privileges or change other skills' configuration. Autonomous invocation is allowed (platform default) but not combined here with other red flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install postgres-db - After installation, invoke the skill by name or use
/postgres-db - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: PostgreSQL database operations including query execution, schema export, and backup functionality
Metadata
Frequently Asked Questions
What is PostgreSQL Database?
PostgreSQL 数据库操作技能。用于执行SQL查询、表管理、备份恢复、性能监控等数据库操作。触发条件:用户提到 PostgreSQL、postgres、数据库查询、SQL查询、表结构、数据库备份等。 It is an AI Agent Skill for Claude Code / OpenClaw, with 1138 downloads so far.
How do I install PostgreSQL Database?
Run "/install postgres-db" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is PostgreSQL Database free?
Yes, PostgreSQL Database is completely free (open-source). You can download, install and use it at no cost.
Which platforms does PostgreSQL Database support?
PostgreSQL Database is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created PostgreSQL Database?
It is built and maintained by limoxt (@limoxt); the current version is v1.0.0.
More Skills