← 返回 Skills 市场
364
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install oceanbase-datapilot
功能描述
面向所有问数与数据分析场景,基于 DataPilot 的 OpenAPI 执行从数据源接入到数据问答的完整流程。用于自然语言查数、SQL 查询校验、图表生成、报告导出下载、创建与管理数据分析 Agent、维护 Agent 知识库。
安全使用建议
This skill is coherent with its stated purpose (a Node CLI for DataPilot) but the bundled script writes persistent logs and explicitly logs the DATAPILOT_API_KEY value into dataagent_cli.log. Before installing or running: 1) Do not supply a high-privilege/long-lived API key — create a least-privilege key you can rotate. 2) Inspect or modify dataagent_openapi_cli.mjs to remove or sanitize keyenv logging (replace raw key with sanitized value or remove the field). 3) Run the script in an isolated environment (ephemeral container or sandbox) if you must test it, and ensure the logfile is not included in backups or synced locations. 4) Consider deleting or securing dataagent_cli.log after use and rotating the API key if it was exposed. If the author can clarify why the raw API key is logged and remove that behavior, the risk would be substantially reduced.
功能分析
Type: OpenClaw Skill
Name: oceanbase-datapilot
Version: 1.0.1
The skill bundle contains significant security vulnerabilities in 'dataagent_openapi_cli.mjs' that could be exploited. Specifically, the script logs the raw 'DATAPILOT_API_KEY' to a local file ('dataagent_cli.log') within the 'getAuthHeaders' function, despite having sanitization logic elsewhere. Furthermore, the 'create-instance' command facilitates arbitrary file reading and uploading via the '--sqlite-file' argument without path validation, potentially allowing an attacker to exfiltrate sensitive system files if the AI agent is manipulated. While these appear to be unintentional design flaws rather than intentional malware, they pose a high risk.
能力评估
Purpose & Capability
Name/description, required binary (node), and required env vars (DATAPILOT_API_URL, DATAPILOT_API_KEY) align with the included CLI script that calls a DataPilot OpenAPI (create-instance, ask, list-agents, knowledge management). Requested resources (API URL + key, ability to read user-provided datasource files) are proportional to the stated purpose.
Instruction Scope
SKILL.md instructs running the included node script and supplying datasource files; the runtime code reads user-supplied files (datasource JSON, sqlite .db) which is expected. However, the SKILL.md does not mention that the CLI will write a persistent log file in the skill directory or that it logs authentication material. The code calls writeLog() frequently and in getAuthHeaders() it passes keyenv: process.env.DATAPILOT_API_KEY (the raw API key) to the logger, which is a mismatch with the documentation and a potential secret-exposure vector.
Install Mechanism
There is no install spec (instruction-only + included node script). That is low-risk in terms of external code downloads. The included JS file will be executed with node; no external archive downloads or third-party package installs are present in the bundle.
Credentials
Requiring DATAPILOT_API_URL and DATAPILOT_API_KEY is appropriate for an API client. However, the code logs environment and argument data to a local log file and — crucially — writes the raw DATAPILOT_API_KEY into logs (getAuthHeaders calls writeLog with keyenv: process.env.DATAPILOT_API_KEY). Even partial exposure or local logging of secrets is disproportionate and increases risk if the logfile is accessible, synced, or exfiltrated.
Persistence & Privilege
always:false and the skill does not request system-wide privileges or modify other skills. It does create/append a local logfile (dataagent_cli.log) in the script directory, which is persistent on disk; this persistent logging combined with credential logging is the main concern but does not indicate elevated platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install oceanbase-datapilot - 安装完成后,直接呼叫该 Skill 的名称或使用
/oceanbase-datapilot触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
oceanbase-datapilot 1.0.1
- Updated CLI usage examples in documentation to remove redundant --base-url and unify command formats.
- Minor documentation refinements for clarity and consistency.
- No changes to command set or APIs.
v1.0.0
Initial release of oceanbase-datapilot skill.
- Provides end-to-end data analysis workflow using DataPilot OpenAPI, from data source connection to natural language Q&A.
- Supports DataAgent creation, SQL validation, chart generation, report export, and knowledge management.
- CLI tool enables creating agents, asking data questions, listing agents, and managing agent knowledge.
- Compatible with multiple data sources: SQLite, MySQL, PostgreSQL, ODPS, and OBO Oracle.
- Requires Node.js and configuration of DATAPILOT_API_URL and DATAPILOT_API_KEY environment variables.
元数据
常见问题
datapilot 是什么?
面向所有问数与数据分析场景,基于 DataPilot 的 OpenAPI 执行从数据源接入到数据问答的完整流程。用于自然语言查数、SQL 查询校验、图表生成、报告导出下载、创建与管理数据分析 Agent、维护 Agent 知识库。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 364 次。
如何安装 datapilot?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install oceanbase-datapilot」即可一键安装,无需额外配置。
datapilot 是免费的吗?
是的,datapilot 完全免费(开源免费),可自由下载、安装和使用。
datapilot 支持哪些平台?
datapilot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 datapilot?
由 HSunboy(@hsunboy)开发并维护,当前版本 v1.0.1。
推荐 Skills