← Back to Skills Marketplace
509
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install nl2sql
Description
自然语言转 SQL 查询助手。将用户的自然语言描述转换为 SQL 语句,自动执行并返回结果。 支持连接本地或远程 MySQL 数据库、用户自行指定数据库连接信息(host/port/user/password)、 增删改查(SELECT/INSERT/UPDATE/DELETE)、事务操作、多种输出格式(tabl...
Usage Guidance
This skill appears to do what it says, but it requires you to provide database credentials and the included scripts pass passwords on the command line (mysql -p"password"), which can be visible to other local users and may be stored in process lists or logs. Also the skill instructs the agent to 'remember' connection info in the conversation — that could leave credentials in chat history. Before installing or using: (1) prefer giving a least-privilege, ephemeral DB account (read-only for queries; separate write account if necessary); (2) avoid providing production admin passwords in chat; (3) consider modifying the scripts to avoid passing passwords as CLI args (use mysql option files with restrictive permissions or prompt for password/stdin) or to accept a secure secret mechanism supported by your platform; (4) disable any long-term conversation memory for credentials or ensure the platform never persists them; (5) review and test the scripts in an isolated environment first. If you cannot accept these risks, treat the skill as unsafe to enable with real/privileged credentials.
Capability Analysis
Type: OpenClaw Skill
Name: nl2sql
Version: 1.0.0
The skill bundle provides a natural language interface for MySQL database management, which involves high-risk capabilities such as shell execution and file access. Specifically, `scripts/query.sh` and `scripts/transaction.sh` can read arbitrary local files if the agent is manipulated into providing a sensitive file path as the SQL input. Additionally, `scripts/schema.sh` contains a potential SQL injection vulnerability by directly embedding the table name variable into a query string. While the `SKILL.md` and `references/guide.md` files include extensive security instructions to prevent credential leakage and require confirmation for destructive actions, the underlying scripts possess risky primitives that could be exploited if the AI agent's instructions are bypassed.
Capability Assessment
Purpose & Capability
Name/description (convert NL to SQL and execute against MySQL) match the provided scripts and SKILL.md. The scripts implement schema discovery, listing databases, executing queries, and transactions, which are expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to remember connection info in the conversation and to pass host/port/user/password to scripts. Scripts accept arbitrary SQL and will execute it; destruction safeguards are described (confirm before DELETE/DROP/TRUNCATE) but enforcement depends on the agent following rules. The instruction to cache credentials in conversation expands the skill's scope to handling sensitive secrets in chat history.
Install Mechanism
No install spec; instruction-only plus included shell scripts. Nothing is downloaded or written during install. This low-install footprint is proportionate to the skill's purpose.
Credentials
The skill does not request unrelated environment credentials (no extraneous API keys), which is appropriate. However, it relies on users providing DB credentials and the scripts supply the password as mysql -p"PASSWORD" on the command line, which can expose passwords to other local users via process listings and shell histories. The requirement to 'remember connection info within the conversation' may cause passwords to be retained in chat context unless explicitly masked/managed.
Persistence & Privilege
always:false and no system-wide config changes — good. But the SKILL.md's recommendation to persist connection info in conversation means credential data may persist in chat logs/memory. This is a platform/configuration-level persistence risk rather than a skill-install privilege escalation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nl2sql - After installation, invoke the skill by name or use
/nl2sql - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the nl2sql skill.
- Converts natural language to SQL queries and executes them on MySQL databases.
- Supports both local and remote MySQL database connections; users can provide host, port, user, and password.
- Handles SELECT, INSERT, UPDATE, DELETE queries, as well as transaction operations.
- Multiple output formats supported: table (default), CSV, and JSON.
- Strict credential security enforced: never expose database passwords in any output or reply.
- Includes safety checks for destructive operations (e.g., DELETE/DROP must be confirmed by user).
Metadata
Frequently Asked Questions
What is 自然语言转 SQL 查询助手?
自然语言转 SQL 查询助手。将用户的自然语言描述转换为 SQL 语句,自动执行并返回结果。 支持连接本地或远程 MySQL 数据库、用户自行指定数据库连接信息(host/port/user/password)、 增删改查(SELECT/INSERT/UPDATE/DELETE)、事务操作、多种输出格式(tabl... It is an AI Agent Skill for Claude Code / OpenClaw, with 509 downloads so far.
How do I install 自然语言转 SQL 查询助手?
Run "/install nl2sql" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 自然语言转 SQL 查询助手 free?
Yes, 自然语言转 SQL 查询助手 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 自然语言转 SQL 查询助手 support?
自然语言转 SQL 查询助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 自然语言转 SQL 查询助手?
It is built and maintained by 沧海一声笑 (@cyesky); the current version is v1.0.0.
More Skills