← 返回 Skills 市场
1138
总下载
1
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install postgres-db
功能描述
PostgreSQL 数据库操作技能。用于执行SQL查询、表管理、备份恢复、性能监控等数据库操作。触发条件:用户提到 PostgreSQL、postgres、数据库查询、SQL查询、表结构、数据库备份等。
安全使用建议
This skill appears to implement the PostgreSQL features it claims, but before installing: (1) note the registry metadata omits required PG environment variables — the scripts expect PGHOST/PGPORT/PGDATABASE/PGUSER/PGPASSWORD, so supply only a least-privileged DB user. (2) Ensure pg_dump/pg_restore and psycopg2 are installed on the host; the scripts use subprocess to call pg_dump and will fail if absent. (3) Backups are written to disk (backup_dir) — verify the directory, permissions, and retention policy so backups are not exposed. (4) Review the scripts yourself if you don't fully trust the source: they execute arbitrary SQL and run pg_restore/pg_dump, which can modify or drop data when run with sufficient privileges. (5) If you plan to allow the agent to invoke autonomously, restrict credentials and consider creating a dedicated read/backup role (avoid superuser) to limit blast radius.
功能分析
Type: OpenClaw Skill
Name: postgres-db
Version: 1.0.0
The skill is classified as suspicious due to several critical vulnerabilities. The `scripts/query.py` file directly executes arbitrary SQL queries provided as command-line arguments, creating a significant SQL injection risk if an AI agent constructs these queries from untrusted user input. Additionally, `scripts/backup.py` executes external `pg_dump` and `pg_restore` commands with arguments derived from user input, which could lead to argument injection or unintended file operations. The `scripts/schema_export.py` script also presents a file write vulnerability by allowing the output path to be specified arbitrarily, potentially overwriting sensitive files. While these are not explicitly malicious actions, they are severe flaws that could be exploited for unauthorized database access, data manipulation, or system compromise.
能力评估
Purpose & Capability
The name/description, SKILL.md and included scripts all align with PostgreSQL tasks (query execution, schema export, backup/restore). However the registry metadata lists no required environment variables while the SKILL.md and scripts clearly expect PGHOST/PGPORT/PGDATABASE/PGUSER/PGPASSWORD — an inconsistency that should be resolved.
Instruction Scope
Runtime instructions are scoped to database operations and reference running the included Python scripts and PostgreSQL tools (pg_dump/pg_restore). The scripts read environment variables, write backup files to disk, and execute SQL — they do not call external network endpoints or exfiltrate data. One small mismatch: SKILL.md mentions 'performance monitoring' but there is no dedicated monitoring script; monitoring would be performed via queries (EXPLAIN, pg_stat_*), which is supported via query.py but not separately implemented.
Install Mechanism
No install spec is provided (instruction-only install), so nothing is downloaded or written by an installer. The package includes Python scripts; risk comes from executing them, but there is no remote install URL or archive to fetch.
Credentials
The scripts legitimately require database connection credentials (PG* env vars). That access is proportionate to the stated purpose. The concern is the metadata omission of these env vars (metadata declares none), and the fact that PGPASSWORD is sensitive — you should only provide least-privilege credentials and verify where backups are stored and who can access them.
Persistence & Privilege
The skill is not force-included (always: false) and does not request persistent system privileges or change other skills' configuration. Autonomous invocation is allowed (platform default) but not combined here with other red flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install postgres-db - 安装完成后,直接呼叫该 Skill 的名称或使用
/postgres-db触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: PostgreSQL database operations including query execution, schema export, and backup functionality
元数据
常见问题
PostgreSQL Database 是什么?
PostgreSQL 数据库操作技能。用于执行SQL查询、表管理、备份恢复、性能监控等数据库操作。触发条件:用户提到 PostgreSQL、postgres、数据库查询、SQL查询、表结构、数据库备份等。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1138 次。
如何安装 PostgreSQL Database?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install postgres-db」即可一键安装,无需额外配置。
PostgreSQL Database 是免费的吗?
是的,PostgreSQL Database 完全免费(开源免费),可自由下载、安装和使用。
PostgreSQL Database 支持哪些平台?
PostgreSQL Database 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PostgreSQL Database?
由 limoxt(@limoxt)开发并维护,当前版本 v1.0.0。
推荐 Skills