← 返回 Skills 市场

Dev Machine Database

Name: Dev Machine Database
Author: alexmayanjun-collab

作者 alexmayanjun-collab · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

112

总下载

当前安装

版本数

在 OpenClaw 中安装

/install dev-machine-database

功能描述

通过 SSH 连接开发机 datax，查询 MySQL dw 库中的表结构、数据及统计信息，支持只读 select 操作并限制50条记录。

使用说明 (SKILL.md)

开发机数据库查询技能

功能

通过 SSH 连接到开发机 (datax)，查询 MySQL 数据库中的 dw 库

触发词

"去草坪上 dw 库看一下"
"开发机 MySQL 查询"
"查询 dw 库的 [表名]"
"草坪上的 MySQL dw 库"
"datax 数据库查询"

配置信息

开发机配置

主机名: datax
工作目录: /mnt/www
数据库类型: MySQL
数据库名: dw (可能有多个：dw, dw库, data_warehouse 等)

数据库连接

# 连接方式
ssh datax "mysql -u [用户] -p[密码] [数据库名] -e 'SQL 语句'"

# 或者直接登录
ssh datax "mysql -h localhost -u [用户] -p[密码]"

使用示例

示例 1：查看表列表

用户： "去草坪上 dw 库看一下有哪些表"

执行：

ssh datax "mysql -h localhost -u [用户] -p[密码] dw -e 'show tables;'"

回复： 表列表

示例 2：查询用户数据

用户： "查看 dw 库的 tr_user 有哪些用户"

执行：

ssh datax "mysql -h localhost -u [用户] -p[密码] dw -e 'select * from tr_user limit 50;'"

回复： 用户列表表格

示例 3：查询表结构

用户： "tr_user 表结构是什么样的"

执行：

ssh datax "mysql -h localhost -u [用户] -p[密码] dw -e 'desc tr_user;'"

回复： 表结构详情

示例 4：统计信息

用户： "dw 库的 tr_user 表有多少条数据"

执行：

ssh datax "mysql -h localhost -u [用户] -p[密码] dw -e 'select count(*) from tr_user;'"

回复： 数据统计

数据库信息

可能的数据库名

数据库名	说明
`dw`	数据仓库主库
`dw库`	中文别名
`data_warehouse`	英文全称
`sg_alith_sync_fle_tra`	泰国项目库

常见表

表名	说明
`tr_user`	用户表
`tr_order`	订单表
`tr_store`	门店表
`tr_client`	客户表

执行流程

接收查询指令
- 解析用户意图
- 提取数据库名、表名、查询条件
构建 SQL 语句
- 根据意图生成对应 SQL
- 添加 LIMIT 限制（默认 50 条）
SSH 执行
- 连接到 datax 开发机
- 执行 MySQL 查询
- 获取结果
格式化输出
- 表格形式展示
- 添加统计信息
- 发送到飞书

安全注意事项

只读操作 - 只执行 SELECT 查询，不执行 INSERT/UPDATE/DELETE
LIMIT 限制 - 默认 LIMIT 50，避免大数据量
密码保护 - MySQL 密码不输出到日志
权限控制 - 只查询授权的数据库和表

更新日志

2026-03-04

✅ 创建技能
✅ 支持 MySQL 查询
✅ 集成飞书发送
✅ 支持多种触发词

安全使用建议

Do not install or run this skill without remediation. Specific concerns: - The included script contains hard-coded DB credentials (root / "123456") and assumes SSH access to a host named 'datax' and a Docker 'mysql' container. The skill metadata does not declare any credentials or secrets — this is inconsistent and unsafe. - The script builds shell commands from user-supplied names/SQL and calls ssh subprocesses directly, which can allow command injection and arbitrary remote command execution if inputs are not strictly validated. - SKILL.md mentions sending results to Feishu and config files that are not provided; clarify where external integrations and secrets will be stored. What to ask the author or change before use: - Remove hard-coded credentials; require secrets be provided via declared env vars or a secure secrets store and document required SSH credentials explicitly. - Sanitize/whitelist table names and disallow arbitrary SQL that could lead to shell injection; enforce read-only checks server-side where possible. - Provide clear install/config instructions for SSH keys or agent forwarding, and disclose any external integrations (Feishu) with required tokens. - Rotate any exposed credentials immediately if they were real, and consider not running this skill on production systems. If you cannot get these changes, classify the skill as unsafe to enable because it can leak credentials or execute unintended commands on your development host.

功能分析

Type: OpenClaw Skill Name: dev-machine-database Version: 1.0.0 The skill bundle contains a Python script (query_db.py) with a critical shell injection vulnerability in the query_mysql_docker function, where SQL strings are directly interpolated into a command string executed via SSH on a remote host (datax). It also includes hardcoded database credentials (root:123456). While these represent significant security risks (Remote Code Execution), they appear to be unintentional flaws in a developer utility rather than intentional malware.

能力评估

⚠ Purpose & Capability

The skill claims only to perform read-only SELECTs over SSH to host 'datax', which is consistent with the examples. However the included script embeds a MySQL root username and a plaintext password and assumes a Docker container name. The skill declares no required env vars or credentials even though it clearly needs SSH access and DB credentials; that mismatch is a coherence problem.

⚠ Instruction Scope

SKILL.md instructs making SSH calls and running mysql commands (expected), but also references sending results to Feishu and workspace config files that aren't present. The script builds shell commands directly from inputs (table/where/sql) and then passes them to ssh subprocess calls without sanitization, creating command-injection risk and scope creep beyond simple safe SELECTs.

ℹ Install Mechanism

No install spec (instruction-only plus an included script) — lowest install risk. However a shipped code file contains plaintext DB credentials and will be stored on disk when installed, which is a risk even though there's no installer downloading remote code.

⚠ Credentials

The skill requests no environment variables or primary credential in its metadata, yet the code requires SSH access to 'datax' and hard-codes MYSQL_USER and MYSQL_PASSWORD. Requesting root DB credentials (and storing them in code) is disproportionate and not documented in the manifest. The skill also assumes presence of 'docker' on the remote host and an accessible 'mysql' container.

✓ Persistence & Privilege

always is false and the skill does not request permanent agent-wide privileges. There is no evidence it modifies other skills or global config. Autonomous invocation is allowed by default, which is normal, but combine this with the other concerns when deciding whether to enable.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install dev-machine-database
安装完成后，直接呼叫该 Skill 的名称或使用 /dev-machine-database 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

dev-machine-database v1.0.0 - 初始版本发布，支持通过 SSH 查询开发机 (datax) 上 MySQL 的 dw 数据库。 - 支持多种中文、英文自然语言触发词。 - 默认只读操作，所有查询默认 LIMIT 50 条，确保安全。 - 查询结果表格自动发送到飞书。 - 覆盖常见指令：查表、查结构、查数据量。

元数据

Slug dev-machine-database

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题