功能描述

Query project databases with automatic SSH tunnel management. Use when you need to execute SQL queries against configured databases, especially those accessi...

使用说明 (SKILL.md)

Database Query

Name: MYSQL QUERY
Author: zenixp

Overview

Query databases through a centralized configuration file with automatic SSH tunnel management. Handles connection details, SSH tunnel setup/teardown, and query execution.

Security

Passwords are never exposed in process lists. The skill uses environment variables for credentials:

MYSQL_PWD for database passwords (passed to mysql client)
SSHPASS for SSH tunnel passwords (passed to sshpass)

Recommended: Store credentials in environment variables instead of the config file for better security.

Configuration

Setup

Create config file at ~/.config/clawdbot/db-config.json:

mkdir -p ~/.config/clawdbot
# Copy example config and edit
cp /usr/lib/node_modules/clawdbot/skills/db-query/scripts/config.example.json ~/.config/clawdbot/db-config.json

Add database entries with these fields:
- name: Description used to find the database (required)
- host: Database host (required)
- port: Database port (default: 3306)
- database: Database name (required)
- user: Database user (required)
- password: Database password (optional, can use env var)
- ssh_tunnel: Optional SSH tunnel configuration
SSH tunnel configuration (if needed):
- enabled: true/false
- ssh_host: Remote SSH host
- ssh_user: SSH username
- ssh_port: SSH port (default: 22)
- local_port: Local port to forward (e.g., 3307)
- remote_host: Remote database host behind SSH (default: localhost)
- remote_port: Remote database port (default: 3306)

Environment Variables (Recommended)

Instead of storing passwords in the config file, use environment variables:

# Format: DB_PASSWORD_\x3CDATABASE_NAME> (spaces replaced with underscores, uppercase)
export DB_PASSWORD_PRODUCTION_USER_DB="your_db_password"

# Format: SSH_PASSWORD_\x3CDATABASE_NAME> for SSH tunnel password
export SSH_PASSWORD_PRODUCTION_USER_DB="your_ssh_password"

Example Config

{
  "databases": [
    {
      "name": "Production User DB",
      "host": "localhost",
      "port": 3306,
      "database": "user_db",
      "user": "db_user",
      "password": "",
      "ssh_tunnel": {
        "enabled": true,
        "ssh_host": "prod.example.com",
        "ssh_user": "deploy",
        "local_port": 3307
      }
    }
  ]
}

Set environment variables (recommended):

export DB_PASSWORD_PRODUCTION_USER_DB="your_db_password"
export SSH_PASSWORD_PRODUCTION_USER_DB="your_ssh_password"

Usage

List Databases

python3 /usr/lib/node_modules/clawdbot/skills/db-query/scripts/db_query.py --list

Query a Database

python3 /usr/lib/node_modules/clawdbot/skills/db-query/scripts/db_query.py \
  --database "Production User DB" \
  --query "SELECT * FROM users LIMIT 10"

The script will:

Find database by matching description in config
Start SSH tunnel (if configured)
Execute query
Automatically close SSH tunnel (important for cleanup)

With Custom Config Path

python3 /usr/lib/node_modules/clawdbot/skills/db-query/scripts/db_query.py \
  --config /path/to/custom-config.json \
  --database "test" \
  --query "SHOW TABLES"

Requirements

MySQL client: apt install mysql-client or equivalent
SSH client: usually pre-installed on Linux/Mac
Python 3.6+

Notes

SSH tunnels are automatically closed after query execution
Use --list to see all configured databases and their descriptions
Database search is case-insensitive partial match on name field
Local ports for SSH tunnels should be unique per database

安全使用建议

This skill appears to do what it claims (manage SSH tunnels and run MySQL queries). Before installing or using it: - Ensure the local mysql client and ssh are installed (and sshpass if you plan to use password-based SSH). The registry metadata does not declare these requirements, so install them manually if needed. - Prefer key-based SSH authentication rather than sshpass/SSH passwords; if you use passwords, be aware environment variables and process environments can be observable on some systems. - Verify the config file location (~/.config/clawdbot/db-config.json) and file permissions to protect stored secrets. The example encourages storing secrets in env vars rather than the file — follow that advice. - Note the script uses 'StrictHostKeyChecking=accept-new' which will automatically accept new host keys; if you need stricter host verification, edit the script or your SSH options. - Optionally review the included scripts/db_query.py yourself (it's small and readable) before use. The code contains no hidden network endpoints or exfiltration behavior, but it does invoke external programs (ssh, mysql) and will connect to whatever hosts are configured in your config file.

功能分析

Type: OpenClaw Skill Name: db-query Version: 1.0.1 The skill is classified as suspicious primarily due to a critical SQL injection vulnerability in `scripts/db_query.py`. The `execute_mysql_query` function directly passes the user-provided `query` argument to the `mysql` client's `-e` flag without sanitization, allowing arbitrary SQL commands to be executed against configured databases. Additionally, the SSH tunnel setup uses `StrictHostKeyChecking=accept-new`, which weakens security by making the first connection vulnerable to Man-in-the-Middle attacks. While the `SKILL.md` instructions themselves do not contain malicious prompt injection, they direct the agent to use a script that is vulnerable to SQL injection via its `--query` argument.

能力评估

✓ Purpose & Capability

Name/description state: run MySQL queries with SSH tunnel management. The included script implements exactly that: reads a JSON config, optionally starts an SSH tunnel (ssh/sshpass), and runs the mysql client. No unrelated services or credentials are requested by the code.

✓ Instruction Scope

SKILL.md and the script operate within expected scope: they read a single config file (default ~/.config/clawdbot/db-config.json), use environment variables for DB/SSH passwords, establish SSH tunnels, and invoke the local mysql client. The instructions do not ask the agent to read unrelated files, contact external endpoints other than SSH/mysql hosts, or collect extra system data. Note: the script prints examples and lists configured databases when the config is missing.

ℹ Install Mechanism

This is instruction-only (no install spec) which minimizes installer risk. However SKILL.md and INSTALL.md reference copying config from /usr/lib/node_modules/... and require local binaries (mysql client, ssh, optionally sshpass) even though the registry metadata lists 'required binaries: none'. That mismatch is a packaging/metadata omission you should be aware of — the tool will fail at runtime if mysql/ssh (and sshpass when using password-based SSH) are not installed.

✓ Credentials

The script uses environment variables for credentials (DB_PASSWORD_<NAME>, SSH_PASSWORD_<NAME>) and sets MYSQL_PWD/SSHPASS only for subprocess execution. No other unrelated environment variables or cloud credentials are requested. Requiring secrets for the databases you're connecting to is proportional to the functionality.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills' configurations. It runs only when invoked by the user/agent.

版本历史

v1.0.1

- Credentials are now handled via environment variables (`MYSQL_PWD`, `SSHPASS`) for increased security; passwords are no longer visible in process lists. - Strongly recommends storing database and SSH passwords in environment variables instead of the config file. - Updated documentation with usage examples for environment variables and changes to configuration best practices. - All existing functionality and usage remain unchanged.

v1.0.0

- Initial release of db-query skill. - Query project databases with automatic SSH tunnel management. - Uses a centralized config to manage multiple databases by name/description. - Automatically handles SSH tunnel setup and teardown before/after each query. - Allows listing databases and executing SQL queries from the command line. - Supports custom config file paths and partial name matching for database selection.

元数据

Slug db-query

版本 1.0.1

许可证 —

累计安装 19

当前安装数 18

历史版本数 2

常见问题

MYSQL QUERY 是什么？

Query project databases with automatic SSH tunnel management. Use when you need to execute SQL queries against configured databases, especially those accessi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 3270 次。

如何安装 MYSQL QUERY？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install db-query」即可一键安装，无需额外配置。

MYSQL QUERY 是免费的吗？

是的，MYSQL QUERY 完全免费（开源免费），可自由下载、安装和使用。

MYSQL QUERY 支持哪些平台？

MYSQL QUERY 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 MYSQL QUERY？

由 zenixp（@zenixp）开发并维护，当前版本 v1.0.1。

MYSQL QUERY