← Back to Skills Marketplace
101
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install save-mysql
Description
extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis.
Usage Guidance
This script will connect to a MySQL server and create/modify a table using column names derived directly from URL query parameter names. Before installing or running it, consider the following:
- Credential and dependency disclosure: The skill metadata does not declare required env vars or the mysql-connector dependency. Expect to provide DB_HOST, DB_USER, DB_PASSWORD, DB_NAME and to install the mysql-connector package and Python runtime.
- Principle of least privilege: Do not run this with root or highly privileged DB accounts. Create a dedicated DB user with minimal INSERT/CREATE privileges limited to a dedicated database.
- SQL identifier injection risk: Column names are interpolated directly into CREATE TABLE and INSERT statements without quoting or validation. Malicious or malformed parameter names could break SQL or be exploited. Only allow safe column names (e.g., validate against /^[A-Za-z0-9_]+$/) and/or quote identifiers properly.
- Data sensitivity & exfiltration: The script will transmit any URL parameters to the configured DB. Ensure you trust the DB host (keep it local or in a trusted network) and avoid sending sensitive tokens/passwords. Treat this as a data exfiltration surface if the DB is remote.
- Suggested code fixes: a) Require and document env vars in SKILL.md/metadata. b) Validate/sanitize column names to a safe whitelist and quote identifiers with backticks after validation. c) Avoid hardcoded default credentials; fail if no credentials are provided. d) Add explicit instructions about installing dependencies (pip install mysql-connector-python). e) Limit column size and handle name collisions.
If you cannot review and lock down the DB and the script before use, treat this skill as risky and do not enable it on agents that can access sensitive URLs or run autonomously.
Capability Analysis
Type: OpenClaw Skill
Name: save-mysql
Version: 1.0.1
The skill is classified as suspicious due to critical SQL injection vulnerabilities in `scripts/save_url_params.py`. The script dynamically generates database column names and table structures directly from URL query parameter keys using f-strings in both `CREATE TABLE` and `INSERT` statements without any sanitization. While the code's behavior aligns with the stated purpose in `SKILL.md`, the implementation allows for arbitrary SQL execution if a user provides a URL with malicious parameter keys.
Capability Assessment
Purpose & Capability
The name/description (save URL params to MySQL) matches the code's behavior, but the skill metadata declares no required environment variables or dependencies even though the script expects DB connection settings (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) and the mysql.connector Python package. This mismatch is unexplained and reduces transparency.
Instruction Scope
SKILL.md instructs only to run the script with a URL and mentions MySQL, which is consistent, but it omits key runtime details (Python runtime, mysql-connector package, expected env vars). The script will connect to an arbitrary MySQL host and write data there — this behavior can be a vector for unintended data exfiltration if a remote DB is configured, and the docs do not warn about sensitive data handling.
Install Mechanism
No install spec — the skill is instruction-only with an included Python script. This minimizes install-time risk, but runtime dependencies (python package mysql.connector) are not declared.
Credentials
The code relies on environment variables for DB credentials but the skill metadata lists none. Default credentials (DB_USER=root, DB_PASSWORD=root, DB_HOST=localhost, DB_NAME=test_db) are embedded in the script, which is unsafe. The skill requests (implicitly) high-privilege DB access without documenting or justifying it.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges or modify other skills/config. It only performs a one-off database write when invoked.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install save-mysql - After installation, invoke the skill by name or use
/save-mysql - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- No code changes in this release.
- Documentation and usage details remain unchanged.
Metadata
Frequently Asked Questions
What is lin?
extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis. It is an AI Agent Skill for Claude Code / OpenClaw, with 101 downloads so far.
How do I install lin?
Run "/install save-mysql" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is lin free?
Yes, lin is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does lin support?
lin is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created lin?
It is built and maintained by 番茄番茄番茄范 (@lin-shiwu); the current version is v1.0.1.
More Skills