← 返回 Skills 市场

Museum Data Manager

Name: Museum Data Manager
Author: jackandking

作者 jackandking · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

254

总下载

当前安装

版本数

在 OpenClaw 中安装

/install museum

功能描述

Manage and query museum database records, track data collection status, verify completeness, and export museum data in JSON, CSV, or SQL formats.

安全使用建议

This skill appears to do what it claims (manage a MySQL museum DB) and only asks for DB credentials, but the implementation has insecure practices you should address before trusting it with real data. Key points to consider: - Review the code yourself (museum.py) before installing from an unknown source. The source/owner are not verified. - Avoid supplying high-privilege credentials. Create a dedicated MySQL user with the minimum privileges needed (SELECT/INSERT/UPDATE/DELETE only as required), not root. - The script shells out to the external 'mycli' program and passes the password on the command line, which can expose the password to other local users/process inspectors. Prefer a client that supports secure credential files or socket auth, or modify the tool to use a Python MySQL client (pymysql/mysql-connector) with parameterized queries. - The tool constructs SQL statements by string interpolation (e.g., custom query, list/get filters). Do not use it with untrusted inputs; sanitize or parameterize queries to avoid SQL injection. - Ensure 'mycli' is installed from a trusted source if you plan to use it; the manifest does not declare it as a required binary. - Run this tool in a controlled environment (isolated machine or container) if the database or environment is sensitive. Verify exported files (JSON/CSV) are stored where you expect and protected. If you cannot review or modify the code, consider rejecting or sandboxing this skill until these issues (command-line password exposure and unsanitized SQL) are resolved.

功能分析

Type: OpenClaw Skill Name: museum Version: 1.0.0 The skill contains significant SQL injection vulnerabilities in museum.py, where user-provided command-line arguments are directly interpolated into SQL strings (e.g., in the list_museums, get_museum, and check_data functions). Additionally, it provides a 'query' command that allows for arbitrary SQL execution. While these capabilities are documented and align with the stated purpose of museum database management, the lack of input sanitization and the broad database access pose a high risk of exploitation, though no evidence of intentional malice or data exfiltration was observed.

能力评估

✓ Purpose & Capability

Name, description, manifest.env and SKILL.md all align: the tool manages a MySQL museum database and requests MYSQL_HOST / MYSQL_USER / MYSQL_PSWD / DATABASE. Asking for DB credentials is appropriate for this purpose. Minor inconsistency: the code depends on the external 'mycli' binary but the manifest/requirements do not list it as a required binary.

⚠ Instruction Scope

SKILL.md instructs only database-related operations. However the runtime instructions (museum.py) execute arbitrary SQL supplied by users (museum query and other interpolated values) without sanitization, enabling SQL injection if untrusted input is used. The code also runs an external command (mycli) and passes the DB password on the command line, exposing it in process listings.

✓ Install Mechanism

No install spec — instruction-only with an included Python script. Nothing is downloaded from external URLs or installed automatically. This is low-risk from an install mechanism perspective.

ℹ Credentials

The only environment variables requested are MySQL connection credentials, which are proportionate. However, the credential handling is insecure: the password is passed as a command-line argument to subprocess.run (exposed to other local users/process inspectors). Consider using more secure credential handling (socket, .my.cnf, or parameterized DB client).

✓ Persistence & Privilege

always is false and the skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed by default but not itself a concern here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install museum
安装完成后，直接呼叫该 Skill 的名称或使用 /museum 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Museum Skill 1.0.0 – Initial Release - Provides commands to list, query, and manage museum data in a MySQL database. - Supports checking data collection progress, validating integrity, and exporting to JSON/CSV/SQL. - Flexible filtering and pagination for museum lists. - Custom SQL query support for advanced use cases. - Designed for integration in data collection workflows and automated reporting. - Easy installation, configuration, and troubleshooting guidance included.

元数据

Slug museum

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Museum Data Manager 是什么？

Manage and query museum database records, track data collection status, verify completeness, and export museum data in JSON, CSV, or SQL formats. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 254 次。

如何安装 Museum Data Manager？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install museum」即可一键安装，无需额外配置。

Museum Data Manager 是免费的吗？

是的，Museum Data Manager 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Museum Data Manager 支持哪些平台？

Museum Data Manager 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Museum Data Manager？

由 jackandking（@jackandking）开发并维护，当前版本 v1.0.0。