← 返回 Skills 市场
364
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mysqladm
功能描述
Manage MySQL databases via mysql CLI or Python mysql-connector, supporting queries, schema changes, backups, performance analysis, and user permissions.
安全使用建议
This skill appears to implement MySQL admin tasks, but there are gaps and risky patterns you should consider before installing or running it:
- Credentials: The skill expects MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD, MYSQL_DATABASE, etc., but the registry metadata does not declare these. Treat this as requiring sensitive DB credentials.
- Inspect before running: The bundled scripts call mysqldump/mysql and use eval and unquoted variables; this can enable command injection if any argument is attacker-controlled. Review the scripts and avoid passing untrusted input.
- Secret exposure: Passwords are passed on the command line (e.g., -p$PASSWORD), which can appear in process lists. Prefer using option files, protected environment variables handled by the platform, or mysql client config files with restricted permissions.
- Environment impact: QUICKSTART suggests sudo systemctl start mysql and references a hard-coded test path (/home/clawbot/...), so run tests in an isolated environment (container or VM), not against production systems.
- Ask the author or maintainer to: (1) declare required env vars/credentials in the skill metadata, (2) avoid eval and quote arguments properly, (3) avoid printing secrets and using passwords on the command line, and (4) explain the {baseDir} substitution and any test scripts referenced.
If you must use it now, run in a sandbox with non-production credentials and back up targets first. If you are not comfortable reviewing shell scripts yourself, do not run this skill with privileged credentials or on production systems.
功能分析
Type: OpenClaw Skill
Name: mysqladm
Version: 0.1.0
The skill bundle contains several shell scripts (`mysql_query.sh`, `mysql_backup.sh`, and `mysql_restore.sh`) that use the `eval` command to execute shell strings constructed directly from input arguments. This pattern creates a significant shell injection vulnerability, potentially allowing an attacker (or a manipulated AI agent) to achieve Remote Code Execution (RCE) on the host system. While the bundle's functionality aligns with its stated purpose of MySQL administration, the lack of input sanitization in these core scripts represents a high-risk security flaw.
能力评估
Purpose & Capability
The skill's name, description, included scripts, and references align with MySQL administration (queries, backup/restore, performance). The embedded SKILL.md metadata correctly lists required binaries (mysql, mysqldump, mysqlcheck) and optional python3. However, the registry metadata reported 'no required env vars' while the runtime instructions and scripts expect MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD, MYSQL_DATABASE, etc. — a mismatch between declared requirements and actual needs.
Instruction Scope
The SKILL.md instructs the agent to read and use database credentials from environment variables and to run local system commands (e.g., sudo systemctl start mysql in QUICKSTART and a hard-coded path /home/clawbot/openclaw/test_mysqladm_skill.sh). The shipped scripts build shell commands from user-provided inputs and use eval in places (backup/restore/query scripts), which increases the risk of command injection if inputs are not strictly validated. The instructions also reference {baseDir} for bundled scripts but do not document how it is set; the skill may attempt to run those scripts with whatever credentials are provided.
Install Mechanism
This is instruction-plus-scripts (no network install/spec that downloads code at runtime). The SKILL.md includes optional apt/brew install guidance for the mysql client, which is appropriate and from normal package managers. No external URLs, shorteners, or archive extraction are used.
Credentials
Although the registry metadata lists no required environment variables or primary credential, the skill requires DB credentials and host/port settings at runtime (MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD, MYSQL_DATABASE). That omission is a meaningful coherence issue: the skill will need sensitive credentials to operate but does not declare them. The scripts accept passwords on the command line and embed them into commands (mysqldump/mysql -pPASSWORD), which could expose secrets in process listings. Multiple env/config references (and a hard-coded local test path) are present without being declared.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It does not modify other skills or system-wide settings in its code. However, QUICKSTART suggests using sudo to start the mysql service — running with elevated privileges is a runtime consideration for the user, not an installation-time privilege request.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mysqladm - 安装完成后,直接呼叫该 Skill 的名称或使用
/mysqladm触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release: MySQL database management with query execution, backup/restore, performance analysis, and user management capabilities. Includes 3 utility scripts and comprehensive documentation.
元数据
常见问题
MySQL Administration 是什么?
Manage MySQL databases via mysql CLI or Python mysql-connector, supporting queries, schema changes, backups, performance analysis, and user permissions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 364 次。
如何安装 MySQL Administration?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mysqladm」即可一键安装,无需额外配置。
MySQL Administration 是免费的吗?
是的,MySQL Administration 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
MySQL Administration 支持哪些平台?
MySQL Administration 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MySQL Administration?
由 jasydongo(@jasydongo)开发并维护,当前版本 v0.1.0。
推荐 Skills