← 返回 Skills 市场
101
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install save-mysql
功能描述
extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis.
安全使用建议
This script will connect to a MySQL server and create/modify a table using column names derived directly from URL query parameter names. Before installing or running it, consider the following:
- Credential and dependency disclosure: The skill metadata does not declare required env vars or the mysql-connector dependency. Expect to provide DB_HOST, DB_USER, DB_PASSWORD, DB_NAME and to install the mysql-connector package and Python runtime.
- Principle of least privilege: Do not run this with root or highly privileged DB accounts. Create a dedicated DB user with minimal INSERT/CREATE privileges limited to a dedicated database.
- SQL identifier injection risk: Column names are interpolated directly into CREATE TABLE and INSERT statements without quoting or validation. Malicious or malformed parameter names could break SQL or be exploited. Only allow safe column names (e.g., validate against /^[A-Za-z0-9_]+$/) and/or quote identifiers properly.
- Data sensitivity & exfiltration: The script will transmit any URL parameters to the configured DB. Ensure you trust the DB host (keep it local or in a trusted network) and avoid sending sensitive tokens/passwords. Treat this as a data exfiltration surface if the DB is remote.
- Suggested code fixes: a) Require and document env vars in SKILL.md/metadata. b) Validate/sanitize column names to a safe whitelist and quote identifiers with backticks after validation. c) Avoid hardcoded default credentials; fail if no credentials are provided. d) Add explicit instructions about installing dependencies (pip install mysql-connector-python). e) Limit column size and handle name collisions.
If you cannot review and lock down the DB and the script before use, treat this skill as risky and do not enable it on agents that can access sensitive URLs or run autonomously.
功能分析
Type: OpenClaw Skill
Name: save-mysql
Version: 1.0.1
The skill is classified as suspicious due to critical SQL injection vulnerabilities in `scripts/save_url_params.py`. The script dynamically generates database column names and table structures directly from URL query parameter keys using f-strings in both `CREATE TABLE` and `INSERT` statements without any sanitization. While the code's behavior aligns with the stated purpose in `SKILL.md`, the implementation allows for arbitrary SQL execution if a user provides a URL with malicious parameter keys.
能力评估
Purpose & Capability
The name/description (save URL params to MySQL) matches the code's behavior, but the skill metadata declares no required environment variables or dependencies even though the script expects DB connection settings (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) and the mysql.connector Python package. This mismatch is unexplained and reduces transparency.
Instruction Scope
SKILL.md instructs only to run the script with a URL and mentions MySQL, which is consistent, but it omits key runtime details (Python runtime, mysql-connector package, expected env vars). The script will connect to an arbitrary MySQL host and write data there — this behavior can be a vector for unintended data exfiltration if a remote DB is configured, and the docs do not warn about sensitive data handling.
Install Mechanism
No install spec — the skill is instruction-only with an included Python script. This minimizes install-time risk, but runtime dependencies (python package mysql.connector) are not declared.
Credentials
The code relies on environment variables for DB credentials but the skill metadata lists none. Default credentials (DB_USER=root, DB_PASSWORD=root, DB_HOST=localhost, DB_NAME=test_db) are embedded in the script, which is unsafe. The skill requests (implicitly) high-privilege DB access without documenting or justifying it.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges or modify other skills/config. It only performs a one-off database write when invoked.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install save-mysql - 安装完成后,直接呼叫该 Skill 的名称或使用
/save-mysql触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- No code changes in this release.
- Documentation and usage details remain unchanged.
元数据
常见问题
lin 是什么?
extract parameters from a given URL and save them into a MySQL database. use when you need to store URL query parameters for later processing or analysis. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 101 次。
如何安装 lin?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install save-mysql」即可一键安装,无需额外配置。
lin 是免费的吗?
是的,lin 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
lin 支持哪些平台?
lin 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 lin?
由 番茄番茄番茄范(@lin-shiwu)开发并维护,当前版本 v1.0.1。
推荐 Skills