← 返回 Skills 市场
100
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install cshi
功能描述
extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis.
使用说明 (SKILL.md)
\r \r
URL Parameter Saver\r
\r This skill extracts parameters from a provided URL and saves them into a MySQL database. If the table does not exist, it will be created automatically. Currently supports single URL processing.\r \r
Usage\r
\r
- Call the
save_url_params.pyscript with a URL.\r - The script parses the query parameters and inserts them as a new row in the database.\r
- Each URL's parameters are saved in independent rows.\r \r
Database\r
\r
- Database type: MySQL\r
- Table name:
url_parameters\r - Columns: dynamically matched to URL parameter names
安全使用建议
This skill contains legitimate functionality but has important problems you should address before installing or running it:
- Do not run this against production or sensitive databases yet. The code will create tables and add columns based on URL parameter names.
- The script uses environment variables DB_HOST/DB_USER/DB_PASSWORD/DB_NAME but the skill metadata and README do not declare them. Ensure you supply credentials only for a safe, isolated test database.
- Major security issue: column names are built directly from URL parameter names and interpolated into CREATE TABLE and INSERT SQL without quoting or validation. An attacker-controlled URL could cause SQL syntax errors or SQL injection via crafted identifier names. Fix by validating/whitelisting parameter names, quoting identifiers safely (e.g., backticks after strict validation), or mapping parameter names to safe column names.
- Add explicit dependency documentation: require Python and mysql-connector-python (or equivalent), and include instructions for installing them.
- Consider changing design: instead of dynamic columns, store parameters as key/value rows or a JSON column to avoid dynamic identifier creation.
If you cannot review and fix the code yourself, treat the skill as unsafe for use with any database that contains sensitive data or production credentials.
功能分析
Type: OpenClaw Skill
Name: cshi
Version: 1.0.0
The skill contains critical SQL injection vulnerabilities in scripts/save_url_params.py. The script dynamically constructs SQL 'CREATE TABLE' and 'INSERT' statements using f-strings that incorporate unsanitized keys directly from URL query parameters. An attacker could exploit this by providing a crafted URL to execute arbitrary SQL commands or manipulate the database schema. However, because the code's behavior aligns with its stated purpose and lacks evidence of intentional malice or data exfiltration, it is classified as suspicious rather than malicious.
能力评估
Purpose & Capability
The skill's stated purpose (save URL query parameters to MySQL) matches the included script. However the SKILL metadata claims no required environment variables or binaries, while the script relies on DB_HOST/DB_USER/DB_PASSWORD/DB_NAME environment variables and the Python mysql.connector module. Those omissions are incoherent with the claimed requirements.
Instruction Scope
SKILL.md simply instructs running the Python script with a URL. The script will read DB connection environment variables (even though SKILL.md/metadata don't declare them) and create tables/columns derived directly from URL parameter names. The instructions do not warn about or constrain what parameter names may be used, nor do they instruct any sanitization or safe DB target (e.g., not to run against production).
Install Mechanism
There is no install spec (instruction-only), which reduces install-supply risk. However the script depends on Python and the mysql.connector library (mysql-connector-python) which are not declared. That omission can cause execution failures and hides the true runtime surface.
Credentials
The script expects database credentials via environment variables (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) and provides insecure defaults (root/root on localhost/test_db). Those credentials are not declared in requires.env or documentation. Requesting DB credentials is proportionate to the task, but failing to declare them and using privileged defaults is concerning.
Persistence & Privilege
The skill does not request persistent privileges (always:false), does not modify other skills, and only performs DB writes as its intended action. No platform-level privilege escalation is apparent.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cshi - 安装完成后,直接呼叫该 Skill 的名称或使用
/cshi触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the URL Parameter Saver skill.
- Extracts query parameters from a given URL.
- Saves extracted parameters into a MySQL database.
- Automatically creates the 'url_parameters' table if it doesn't exist.
- Supports processing one URL at a time.
- Table columns are dynamically matched to URL parameter names.
元数据
常见问题
lin 是什么?
extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。
如何安装 lin?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cshi」即可一键安装,无需额外配置。
lin 是免费的吗?
是的,lin 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
lin 支持哪些平台?
lin 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 lin?
由 番茄番茄番茄范(@lin-shiwu)开发并维护,当前版本 v1.0.0。
推荐 Skills