← 返回 Skills 市场

AI NL2SQL

Name: AI NL2SQL
Author: billjamno58

作者 YK-Global · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ai-nl2sql

功能描述

Convert natural language questions into SQL queries on your uploaded CSV/Excel files, execute them offline, and return results with optional charts.

安全使用建议

Key things to consider before installing or using: - Privacy: If you use the PRO mode (supply an OpenAI API key), the skill builds a text prompt that includes the inferred schema and sample values from your uploaded CSV/Excel files and sends that to OpenAI. Do not use PRO mode with sensitive or confidential data unless you accept that those file-derived details will be transmitted to OpenAI. - Billing: The skill calls skillpay.me to charge per-call. SKILL_BILLING_API_KEY (sent as X-API-Key) is used to authenticate billing requests. The SKILL.md states Feishu IDs may be transmitted for billing — but the code currently passes static user IDs ('api_user'/'cli_user') in charge calls. Review skillpay.me's privacy/terms before supplying a billing API key. - Documentation mismatches: The README claims 'No data leaves the user's environment' — that is incorrect for PRO (OpenAI) mode. The registry metadata omits required env vars listed in SKILL.md. Treat those inconsistencies as a red flag and prefer to run the code in a controlled environment first. - Mitigations: (1) Use the FREE/rule-based mode when processing sensitive files (no OpenAI calls). (2) Run the CLI locally (inspect network traffic) or in an isolated environment if you must test PRO mode. (3) If you must use PRO, provide your own OpenAI API key (so the skill does not use any third-party stored key) and avoid uploading PII. (4) Review the skillpay.me billing endpoint behavior and logs before providing SKILL_BILLING_API_KEY. - If you want higher assurance, ask the author to: update SKILL.md to accurately state when data is sent to OpenAI (what fields) and whether sample values are included; clarify exactly what user ID is sent to billing; and add an explicit opt-in that warns the user when their data will be included in prompts.

功能分析

Type: OpenClaw Skill Name: ai-nl2sql Version: 1.0.1 The NL2SQL skill is a legitimate tool for querying CSV and Excel files using natural language. It uses OpenAI for SQL generation and pandasql for local, sandboxed execution on DataFrames. The skill includes a transparently documented billing mechanism via 'skillpay.me' (IOC: skillpay.me) that transmits a user identifier for per-call charging. Security features include a SQLValidator in scripts/parser.py that restricts execution to read-only SELECT statements, and no evidence of data exfiltration, unauthorized command execution, or malicious prompt injection was found.

能力标签

cryptocan-make-purchasesrequires-sensitive-credentials

能力评估

⚠ Purpose & Capability

The skill's code implements NL→SQL, local execution on pandas DataFrames, charting, and optional OpenAI-based SQL generation — which matches the description. However the registry metadata says there are no required env vars while SKILL.md and the code rely on SKILL_BILLING_API_KEY / SKILL_BILLING_SKILL_ID for billing. The SKILL.md claim 'No data leaves the user's environment' is inconsistent with the code path that calls OpenAI with a prompt containing the schema and sample values (i.e., user data will be sent to OpenAI when using PRO).

⚠ Instruction Scope

SKILL.md instructs running the CLI/API and states offline sandboxing. The code will (a) call SkillPay endpoints (skillpay.me) for billing and (b) call OpenAI when an API key is provided, sending a generated prompt that includes schema and sample values extracted from your files. That means file contents (at least schema and sample rows) leave the environment for AI generation — contradicting the security note in SKILL.md. The SKILL.md also states Feishu User ID may be transmitted for billing, but the code uses hard-coded user identifiers ('api_user'/'cli_user') in its calls; the doc and code are inconsistent here.

ℹ Install Mechanism

There is no install spec in the registry (instruction-only), but the package includes Python source and requirements.txt listing common libraries (pandas, openai, requests, matplotlib, pandasql). These are normal for the stated functionality and do not involve fetching code from untrusted URLs. Still, the presence of runnable code (not purely prose) means installation will place code on disk and installing dependencies may execute network activity when used.

⚠ Credentials

SKILL.md lists SKILL_BILLING_API_KEY and SKILL_BILLING_SKILL_ID as required env vars; the registry metadata lists none — mismatch. The billing API key (if set) is sent to skillpay.me as X-API-Key. The OpenAI API key is provided by the user via CLI/API (not via a declared env var), but when present prompts containing file schema and sample values are sent to OpenAI. If you provide a PRO API key, your file-derived data will be transmitted to OpenAI. Requiring a billing API key that will be sent to an external billing service is proportionate to the billed feature, but the documentation understates where data leaves the environment.

✓ Persistence & Privilege

The skill does not request elevated or persistent platform privileges. always:false and it does not modify other skills or global agent settings. It only reads files provided by the user, and uses environment vars for billing; it does not attempt to persist credentials to unrelated configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ai-nl2sql
安装完成后，直接呼叫该 Skill 的名称或使用 /ai-nl2sql 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Added a dedicated "Security Notes" section detailing SQL safety precautions, data isolation, and external data transmission practices. - Clarified that all AI-generated SQL is validated to block non-SELECT queries and only permit read-only operations. - Emphasized that SQL execution remains local, with no data transmission except for billing-related user ID. - No code or functional changes; documentation update only.

v1.0.0

- Initial release of ai-nl2sql skill: natural language to SQL queries for CSV and Excel files. - Supports plaintext questions, auto-generates SQL, and displays results with optional charts. - Command line and Python API both available. - Tiered features: FREE for basic/rule-based queries, PRO with AI (GPT-4) and expanded capabilities. - $0.01 per paid query via SkillPay integration. - Secure offline SQL execution in pandas; no real database connection needed.

元数据

Slug ai-nl2sql

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

AI NL2SQL 是什么？

Convert natural language questions into SQL queries on your uploaded CSV/Excel files, execute them offline, and return results with optional charts. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 70 次。

如何安装 AI NL2SQL？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ai-nl2sql」即可一键安装，无需额外配置。

AI NL2SQL 是免费的吗？

是的，AI NL2SQL 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

AI NL2SQL 支持哪些平台？

AI NL2SQL 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 AI NL2SQL？

由 YK-Global（@billjamno58）开发并维护，当前版本 v1.0.1。