← 返回 Skills 市场
2. SQL Safety (
3. Command Mapping (
Custom Mysql
作者
NoodlyPandaStories
· GitHub ↗
· v1.0.8
· MIT-0
68
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install custom-mysql
功能描述
Provides a secure, least-privilege interface for managing user data, personas, and config snapshots in MySQL with input validation and secret redaction.
使用说明 (SKILL.md)
MySQLClaw Skill v1.0.7
MySQLClaw is a security-hardened MySQL backend for OpenClaw that stores user profiles, personas, media preferences, and configuration snapshots. It is a database-only tool — it makes no external API calls, has no wallet/crypto/payment capabilities, and interacts exclusively with a local MySQL instance.
Capability Declarations
See CAPABILITIES.md for explicit declarations of what this skill can and cannot do. Key points:
- ❌ No wallet access, cryptocurrency, blockchain, or payment processing
- ❌ No external API calls (Stripe, AWS, GitHub, or any other service)
- ❌ No network access beyond localhost MySQL
- ✅ MySQL operations on
mysqlclawschema only - ✅ User profile and persona storage
- ✅ Config snapshot storage with automatic retention/purge
The crypto / wallet / purchases capability signals from automated scanners are false positives caused by the defensive secret-redaction patterns in sanitize_snapshot.sh. See CAPABILITIES.md for full explanation.
Dependencies
| Requirement | Install Command |
|---|---|
| MySQL client (mysql >= 8.0) | Debian/Ubuntu: sudo apt install default-mysql-client · RHEL: sudo yum install mysql · macOS: brew install mysql-client |
| OpenSSL | Usually pre-installed |
| Bash >= 4.0 | Required for associative arrays |
| Perl | Required for sanitize_snapshot.sh regex engine (usually pre-installed) |
Required Environment Variables
| Variable | Description |
|---|---|
MYSQL_USER |
Dedicated MySQL account (not root in production) |
MYSQL_PASSWORD |
Password for the MySQL account |
MYSQL_HOST |
MySQL server hostname (default: localhost) |
MYSQL_PORT |
MySQL server port (default: 3306) |
Security Note: Passwords are never passed on the command line. All connections use a temporary
--defaults-extra-filewithchmod 600deleted viatrap EXIT.
Security Architecture
1. Credential Handling
- Passwords never appear on the command line or in process listings
- Temporary credentials file created with
chmod 600, deleted viatrap EXIT(survivesset -efailures) - Setup wizard uses
read -sp— password not echoed to terminal
2. SQL Safety (sql_safe_exec.sh)
| Control | Behavior |
|---|---|
| Multi-statement rejection | Semicolons rejected — one statement at a time |
| DDL blocking | DROP, TRUNCATE, ALTER, CREATE blocked anywhere in input |
| DML confirmation | INSERT, UPDATE, DELETE, REPLACE require interactive confirmation |
| Path traversal prevention | .ssh, /etc/, .env, .gnupg, .aws, .config blocked |
| Database restriction | USE only allowed for mysqlclaw |
| Input sanitization | Single quotes escaped; identifiers validated ^[a-zA-Z_][a-zA-Z0-9_]{0,63}$ |
| Trap-based cleanup | Credentials file removed on ANY exit via trap EXIT |
3. Command Mapping (custom_mysql)
The custom_mysql executable is included in this skill and maps directly to the safety wrapper:
| Command | Implementation | Safety |
|---|---|---|
custom_mysql.sh query "SQL" |
custom_mysql → sql_safe_exec.sh |
Single-statement, DDL blocked, DML confirmed |
custom_mysql.sh exec_script --file X |
custom_mysql → sql_safe_exec.sh per line |
Each statement individually verified |
4. Snapshot Security
- Secret redaction:
sanitize_snapshot.shredacts API keys, tokens, passwords, Stripe keys (sk_live_*), AWS keys, GitHub tokens via Perl regex - Path whitelist: Only files in
allowed_snapshot_pathsmay be snapshotted - Untrusted by default: All snapshots marked
is_trusted = 0until user-verified - Retention: Auto-purge via MySQL event (default 30 days). Manual:
CALL sp_purge_snapshots(N);
Installation
cp -r custom_mysql /home/noodly/.openclaw/workspace/skills/
cd /home/noodly/.openclaw/workspace/skills/custom_mysql
./setup_wizard.sh
Creating a Least-Privilege MySQL User
CREATE USER 'mysqlclaw'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, INDEX, EVENT, EXECUTE
ON mysqlclaw.* TO 'mysqlclaw'@'localhost';
FLUSH PRIVILEGES;
Files
| File | Purpose |
|---|---|
SKILL.md |
This file — skill documentation |
CAPABILITIES.md |
Explicit capability declarations (addresses scanner false positives) |
custom_mysql |
Agent-facing command wrapper (query / exec_script) |
sql_safe_exec.sh |
Safe SQL execution engine |
setup_wizard.sh |
Interactive setup wizard |
sanitize_snapshot.sh |
Secret redaction before DB storage |
create_user_tables.sql |
Schema for user profiles, personas, snapshots |
cleanup_snapshots.sql |
Retention policy (auto-purge event + manual procedure) |
changelog.md |
Version history |
Changelog
See changelog.md for full version history.
安全使用建议
This skill is reasonable for local MySQL-backed profile and snapshot storage. Before installing, make sure MYSQL_HOST points only to a trusted database, create a dedicated mysqlclaw MySQL user with limited privileges, review any SQL scripts before execution, and decide whether automatic snapshot purging and persistent profile/config storage are acceptable.
功能分析
Type: OpenClaw Skill
Name: custom-mysql
Version: 1.0.8
The MySQLClaw skill bundle is a security-hardened database interface for OpenClaw agents, focusing on local MySQL operations for user profiles and personas. It implements multiple layers of protection, including credential handling via temporary files with trap-based cleanup (setup_wizard.sh, sql_safe_exec.sh), multi-statement SQL rejection, DDL blocking, and mandatory interactive confirmation for data-modifying queries. The bundle also includes a defensive redaction script (sanitize_snapshot.sh) using Perl regex to strip secrets like API keys and tokens before storage, and the documentation (CAPABILITIES.md) proactively addresses potential security scanner false positives related to these patterns.
能力标签
能力评估
Purpose & Capability
The stated purpose and source are coherent: managing user profiles, personas, and config snapshots in MySQL. No wallet, payment, blockchain, or external API code is evident, but the skill intentionally persists personal/configuration data.
Instruction Scope
The agent-facing wrapper allows raw SQL and SQL-file execution through a safety wrapper with DDL blocking and DML confirmation, so users should still review SQL before allowing changes.
Install Mechanism
There is no automated install spec; setup is user-directed. Registry metadata under-declares dependencies and environment variables that the SKILL.md and scripts require.
Credentials
The default target is a local mysqlclaw schema and the docs recommend least privilege, but MYSQL_HOST and MySQL credentials can point to any user-configured MySQL account/server.
Persistence & Privilege
The skill creates persistent MySQL tables for profile/config history and a daily MySQL purge event for old snapshots. This is disclosed and purpose-aligned, but affects retention and deletion.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install custom-mysql - 安装完成后,直接呼叫该 Skill 的名称或使用
/custom-mysql触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.8
- Added new executable script: custom_mysql.sh.
- Updated documentation to reference custom_mysql.sh instead of custom_mysql for command usage.
- No functional changes to security architecture or dependencies.
- Files list and example commands now align with the presence of custom_mysql.sh.
v1.0.7
**Skill version 1.0.7 highlights stricter capability documentation and clarifies security design.**
- Added `CAPABILITIES.md` for explicit declarations of allowed and disallowed actions, to address false "crypto/wallet/payment" capability scanner signals.
- Updated `SKILL.md` with a new, greatly clarified capability scope section and references to `CAPABILITIES.md`.
- Emphasized that the skill performs only local MySQL database operations, with no wallet, crypto, payment, or external API access.
- Polished documentation: reorganized and condensed sections, clarified security features and expected environment.
- No functional or code logic changes; this is a documentation and transparency release.
v1.0.6
- Added an explicit "Capability Scope" section clarifying that the skill does not interact with wallets, cryptocurrencies, or payment systems; redaction of such secrets is purely defensive.
- Updated dependencies: Perl is now required for advanced regex redaction in `sanitize_snapshot.sh`.
- Strengthened documentation of script execution (`exec_script`): all statements are run individually through the SQL safety wrapper, and only reviewed/bundled scripts should be used.
- Enhanced documentation for clarity around installation, input validation, and security controls.
v1.0.4
MySQLClaw Skill v1.0.4 delivers security-focused MySQL management features for OpenClaw agents.
- Strengthened credential handling: passwords never appear in process listings, credentials file auto-deleted on exit.
- Enhanced SQL execution safety: rejects multi-statements, blocks DDL, requires confirmation for DML, enforces input sanitization.
- Snapshot management: secrets automatically redacted, files tightly whitelisted, auto-purge after 30 days.
- Strict input validation: all identifiers and database user input checked by regex.
- Setup wizard and commands streamlined for user safety and ease of use.
元数据
常见问题
Custom Mysql 是什么?
Provides a secure, least-privilege interface for managing user data, personas, and config snapshots in MySQL with input validation and secret redaction. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 68 次。
如何安装 Custom Mysql?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install custom-mysql」即可一键安装,无需额外配置。
Custom Mysql 是免费的吗?
是的,Custom Mysql 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Custom Mysql 支持哪些平台?
Custom Mysql 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Custom Mysql?
由 NoodlyPandaStories(@paradoxfuzzle)开发并维护,当前版本 v1.0.8。
推荐 Skills