← 返回 Skills 市场

database-toolkit

Name: database-toolkit
Author: qiuwenxi416488212-ship-it

作者 XiLi-aXi · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

172

总下载

当前安装

版本数

在 OpenClaw 中安装

/install database-toolkit

功能描述

Execute SQL queries, maintain data, perform statistics, and backup SQLite/MySQL databases including local and remote connections.

使用说明 (SKILL.md)

Database Ops - 数据库操作\r

SQLite/MySQL数据库直接操作，支持查询/更新/备份\r 最后更新：2026-04-13\r \r ---\r \r

功能概述\r

📊 查询数据：SQL查询执行\r
🔧 数据维护：增删改数据\r
💾 备份恢复：数据库备份\r
📈 统计分析：数据统计分析\r \r ---\r \r

支持的数据库\r

SQLite（本地）\r

路径：\r
- data/stock_profiles.db\r
- data/commodity_options.db\r
- data/financial_data.db\r
- lottery_v3.db\r
```\r
\r
### MySQL（远程）\r
```\r
待配置：\r
- Host: localhost\r
- Port: 3306\r
```\r
\r
---\r
\r
## 核心命令\r
\r
### 1. 查询\r
```\r
命令：db查询 [SQL]\r
\r
示例：\r
- db查询 SELECT * FROM stocks LIMIT 10\r
- db查询 SELECT code, name FROM stocks WHERE price > 100\r
```\r
\r
### 2. 统计\r
```\r
命令：db统计 [表名]\r
\r
示例：\r
- db统计 stock_profiles\r
- db统计 odds_history\r
```\r
\r
### 3. 备份\r
```\r
命令：db备份 [数据库]\r
\r
示例：\r
- db备份 stock_profiles\r
- db备份 all\r
```\r
\r
### 4. 表结构\r
```\r
命令：db结构 [表名]\r
\r
示例：\r
- db结构 stocks\r
- db结构 odds_history\r
```\r
\r
---\r
\r
## 常用查询模板\r
\r
### 股票数据\r
```sql\r
-- 最近采集的股票\r
SELECT code, name, price, change_pct \r
FROM stocks \r
ORDER BY update_time DESC LIMIT 10\r
\r
-- 涨跌幅排行\r
SELECT code, name, change_pct \r
FROM stocks \r
ORDER BY change_pct DESC LIMIT 10\r
```\r
\r
### 竞彩数据\r
```sql\r
-- 最近的推荐\r
SELECT league, home_team, away_team, prediction, odds \r
FROM odds_history \r
ORDER BY created_at DESC LIMIT 10\r
\r
-- 命中率统计\r
SELECT league, COUNT(*) as total, \r
       SUM(CASE WHEN result = 'win' THEN 1 ELSE 0 END) as wins\r
FROM odds_history GROUP BY league\r
```\r
\r
---\r
\r
## 注意事项\r
\r
- 写操作需谨慎，建议先备份\r
- 敏感数据查询需脱敏\r
- 定期备份重要数据\r
- 大数据量查询注意性能\r
\r
\r
## Code Implementation\r
\r
Python实现: database_ops.py\r
\r
`python\r
from database_ops import DatabaseOps, sqlite_query\r
\r
# 创建连接\r
db = DatabaseOps('data.db')\r
\r
# 查询\r
results = db.execute('SELECT * FROM stocks LIMIT 10')\r
\r
# 插入\r
db.insert('stocks', {'code': '000001', 'name': 'Test', 'price': 10.0})\r
\r
# 批量插入\r
db.insert_many('stocks', [{'code': '1', 'price': 10}, {'code': '2', 'price': 20}])\r
\r
# 统计\r
count = db.count('stocks')\r
stats = db.stats('stocks')\r
\r
# 备份\r
backup_path = db.backup('backup.db')\r
\r
db.close()\r
\r
# 快速查询\r
results = sqlite_query('data.db', 'SELECT * FROM stocks')\r
`\r

安全使用建议

This skill is broadly a database utility, but there are notable mismatches and code bugs — treat it as untrusted until you review it. Specific actions: - Do not supply production DB credentials. Test only with copies or throwaway credentials in an isolated environment. - The package includes Redis/Postgres/Mongo client code that the description does not mention; if you don't need those, prefer a narrower tool. - Several code issues exist (e.g., DatabaseOps is used with 'with' but the class lacks __enter__/__exit__, mysql_ops.backup references an undefined 'table') — expect runtime errors. Consider reviewing/fixing code before use. - Backups use shutil.copy2 and will create files on disk — ensure paths are what you expect. - Because dependencies are optional and imported at runtime, install only the libraries you need (pymysql, psycopg2, pymongo, redis) and run in a sandbox first. If you plan to use it: audit the repo or run it in a restricted environment, provide only least-privilege DB accounts, and fix the documented implementation bugs before trusting it with important data.

功能分析

Type: OpenClaw Skill Name: database-toolkit Version: 1.0.0 The database-toolkit bundle provides comprehensive wrappers for SQLite, MySQL, Redis, PostgreSQL, and MongoDB. It is classified as suspicious due to significant SQL injection vulnerabilities in database_ops.py and mysql_ops.py, where table names and column keys are directly interpolated into SQL strings using f-strings (e.g., in the insert, update, and delete methods). While the tool's stated purpose is database administration, these implementation flaws allow for potential exploitation. Additionally, the SKILL.md instructions explicitly direct the agent to operate on specific local databases like lottery_v3.db and financial_data.db, which may indicate use in gray-area applications like gambling bots.

能力评估

ℹ Purpose & Capability

Description promises SQLite/MySQL support, but the code bundle also includes Redis, PostgreSQL, and MongoDB client classes (database_enhanced.py, extra_db.py). Those additional capabilities are not documented in SKILL.md or the short description — this is a mismatch (extra capabilities that expand the attack surface).

⚠ Instruction Scope

SKILL.md instructs running queries, write operations and backups on local DB paths and remote MySQL. The instructions reference specific local DB file paths (data/*.db) and advise write actions. The code's example usage uses 'with DatabaseOps(...) as db' but DatabaseOps does not implement __enter__/__exit__ (runtime bug) which means the usage in the docs will error. Several write/backup operations (shutil.copy2) will touch the filesystem; the skill provides no guidance on limiting scope or asking for credentials securely.

ℹ Install Mechanism

There is no install spec (instruction-only), so nothing will be automatically downloaded — lowest install risk. requirements.txt lists pandas and comments about pymysql, but optional runtime dependencies (pymysql, psycopg2, pymongo, redis, DBUtils) are imported conditionally in code and are not declared as required environment/runtime variables. That is reasonable but should be noted: missing dependencies will cause parts of the code to raise ImportError or print messages.

⚠ Credentials

The skill declares no required env vars or primary credential, yet its MySQL/Postgres/Mongo/Redis classes obviously require database credentials to operate. There is no declared, structured mechanism for providing or protecting those credentials. Users might be asked to supply DB passwords directly at runtime — do not provide production credentials without isolation. The number of potential credential types (DB usernames/passwords for multiple DB engines, Redis) is larger than the stated purpose suggests.

✓ Persistence & Privilege

always:false and no install script means the skill does not request permanent or privileged platform presence. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but that is not combined with 'always' or unusual privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install database-toolkit
安装完成后，直接呼叫该 Skill 的名称或使用 /database-toolkit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of database-toolkit skill. - Supports direct SQLite/MySQL operations: querying, modifying, backing up databases, and performing statistics. - Provides key commands for data querying, table statistics, structure display, and backup. - Includes templates for common SQL queries on stocks and sports betting data. - Usage instructions and code implementation samples are provided for easy integration. - Emphasizes data safety: warns about sensitive information, recommends frequent backups, and notes performance considerations for large queries.

元数据

Slug database-toolkit

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题