← Back to Skills Marketplace

Museum Data Manager

Name: Museum Data Manager
Author: jackandking

by jackandking · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

254

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install museum

Description

Manage and query museum database records, track data collection status, verify completeness, and export museum data in JSON, CSV, or SQL formats.

Usage Guidance

This skill appears to do what it claims (manage a MySQL museum DB) and only asks for DB credentials, but the implementation has insecure practices you should address before trusting it with real data. Key points to consider: - Review the code yourself (museum.py) before installing from an unknown source. The source/owner are not verified. - Avoid supplying high-privilege credentials. Create a dedicated MySQL user with the minimum privileges needed (SELECT/INSERT/UPDATE/DELETE only as required), not root. - The script shells out to the external 'mycli' program and passes the password on the command line, which can expose the password to other local users/process inspectors. Prefer a client that supports secure credential files or socket auth, or modify the tool to use a Python MySQL client (pymysql/mysql-connector) with parameterized queries. - The tool constructs SQL statements by string interpolation (e.g., custom query, list/get filters). Do not use it with untrusted inputs; sanitize or parameterize queries to avoid SQL injection. - Ensure 'mycli' is installed from a trusted source if you plan to use it; the manifest does not declare it as a required binary. - Run this tool in a controlled environment (isolated machine or container) if the database or environment is sensitive. Verify exported files (JSON/CSV) are stored where you expect and protected. If you cannot review or modify the code, consider rejecting or sandboxing this skill until these issues (command-line password exposure and unsanitized SQL) are resolved.

Capability Analysis

Type: OpenClaw Skill Name: museum Version: 1.0.0 The skill contains significant SQL injection vulnerabilities in museum.py, where user-provided command-line arguments are directly interpolated into SQL strings (e.g., in the list_museums, get_museum, and check_data functions). Additionally, it provides a 'query' command that allows for arbitrary SQL execution. While these capabilities are documented and align with the stated purpose of museum database management, the lack of input sanitization and the broad database access pose a high risk of exploitation, though no evidence of intentional malice or data exfiltration was observed.

Capability Assessment

✓ Purpose & Capability

Name, description, manifest.env and SKILL.md all align: the tool manages a MySQL museum database and requests MYSQL_HOST / MYSQL_USER / MYSQL_PSWD / DATABASE. Asking for DB credentials is appropriate for this purpose. Minor inconsistency: the code depends on the external 'mycli' binary but the manifest/requirements do not list it as a required binary.

⚠ Instruction Scope

SKILL.md instructs only database-related operations. However the runtime instructions (museum.py) execute arbitrary SQL supplied by users (museum query and other interpolated values) without sanitization, enabling SQL injection if untrusted input is used. The code also runs an external command (mycli) and passes the DB password on the command line, exposing it in process listings.

✓ Install Mechanism

No install spec — instruction-only with an included Python script. Nothing is downloaded from external URLs or installed automatically. This is low-risk from an install mechanism perspective.

ℹ Credentials

The only environment variables requested are MySQL connection credentials, which are proportionate. However, the credential handling is insecure: the password is passed as a command-line argument to subprocess.run (exposed to other local users/process inspectors). Consider using more secure credential handling (socket, .my.cnf, or parameterized DB client).

✓ Persistence & Privilege

always is false and the skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed by default but not itself a concern here.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install museum
After installation, invoke the skill by name or use /museum
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Museum Skill 1.0.0 – Initial Release - Provides commands to list, query, and manage museum data in a MySQL database. - Supports checking data collection progress, validating integrity, and exporting to JSON/CSV/SQL. - Flexible filtering and pagination for museum lists. - Custom SQL query support for advanced use cases. - Designed for integration in data collection workflows and automated reporting. - Easy installation, configuration, and troubleshooting guidance included.

Metadata

Slug museum

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Museum Data Manager?

Manage and query museum database records, track data collection status, verify completeness, and export museum data in JSON, CSV, or SQL formats. It is an AI Agent Skill for Claude Code / OpenClaw, with 254 downloads so far.

How do I install Museum Data Manager?

Run "/install museum" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Museum Data Manager free?

Yes, Museum Data Manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Museum Data Manager support?

Museum Data Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Museum Data Manager?

It is built and maintained by jackandking (@jackandking); the current version is v1.0.0.

More Skills