← 返回 Skills 市场
sqlskills

SQL Database Toolkit

作者 SQLSkills · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
105
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install sql-database-toolkit
功能描述
All-in-one SQL data analysis toolkit supporting database/file connection, SQL query, visualization, AI insights, and report/dashboard generation with templates.
安全使用建议
What to consider before installing/using this skill: - Code vs metadata mismatch: the package includes many Python scripts and an install_deps.sh but the registry declares no install spec. Do not blindly run install_deps.sh or pip install -r requirements.txt; inspect those files first. - Credentials: this toolkit needs DB credentials to function. Do not provide production credentials. Prefer creating a dedicated, least-privilege, readonly database user or use local/test databases first. The SKILL.md references ~/.my.cnf — check any code that reads local config files before use. - Network access: interactive charts use CDNs (e.g., jsdelivr) and the code may perform network I/O; review code for external endpoints (search for 'requests', 'urllib', 'socket', 'http', 'https', or hardcoded URLs) before running. - Run in isolation: if you want to evaluate, run the code in a disposable environment (Python venv or container) and monitor outbound network traffic. Review requirements.txt and dependency versions for supply-chain risk. - Ask the publisher for clarifications: request a homepage or repository link, an explicit install spec, and explicit declarations of required environment variables (e.g., DB credentials) and any network endpoints the skill contacts. Also ask them to explain why metadata lists version 1.0.0 while SKILL.md says v2.0.0. - If you lack the ability to audit code, avoid running it with sensitive credentials. Use sample data or a sandboxed DB and inspect outputs/logs first. If the publisher provides a public repository and an explicit install/permission manifest, and you verify there are no unexpected network calls or credential exfiltration, the inconsistencies will be less concerning. Until then, treat the skill with caution.
功能分析
Type: OpenClaw Skill Name: sql-database-toolkit Version: 1.0.0 The SQL Database Toolkit is a comprehensive data analysis suite, but it contains several high-risk security vulnerabilities. Most notably, 'file_connector.py' includes a loader for Pickle files using 'pd.read_pickle', which is a well-documented vector for Remote Code Execution (RCE) if an agent is tricked into loading a malicious file. Furthermore, the 'query' method in 'file_connector.py' implements a custom SQL parameter replacement logic by manually swapping strings (e.g., replacing ':key' with 'value'), which is highly susceptible to SQL injection attacks compared to standard parameterized queries. While these appear to be unintentional architectural flaws rather than overt malice, they represent a significant attack surface for prompt-injection-based exploits against the AI agent.
能力评估
Purpose & Capability
The name/description align with the provided modules (database_connector, charts, report_generator, ai_insights, unified_pipeline). The included Python scripts and many templates are coherent with an end-to-end SQL analysis toolkit. However, the skill declares no required environment variables or primary credential even though the SKILL.md and code demonstrate connecting to external databases (MySQL/Postgres/SQLite/etc.), which normally requires credentials; this omission is an inconsistency the publisher should justify.
Instruction Scope
SKILL.md instructions are focused on database connection, SQL, visualization and report generation and reference pip installing requirements.txt and use of local files and DB credentials. It also references user config patterns (e.g. ~/.my.cnf) and external CDNs for interactive charts. Those instructions stay within the stated domain, but they implicitly ask the agent/user to supply or read database credentials and local files — behavior that should be made explicit and limited to what is necessary.
Install Mechanism
Registry metadata says 'No install spec — instruction-only skill' while the package contains a substantial Python codebase (15+ scripts, requirements.txt, install_deps.sh, many templates). SKILL.md tells users to run 'pip install -r requirements.txt', but the platform has no declared install step. The mismatch (bundled code + no formal install spec) increases risk because code is present and could be executed but the skill does not declare how it will be installed or what will be run automatically. The presence of an install_deps.sh and many third-party dependencies means the user should review that script and requirements.txt before running installs.
Credentials
The skill requests no environment variables in its metadata, yet its functionality obviously requires database credentials (examples accept username/password) and may read local credential files (SKILL.md and references mention ~/.my.cnf). The absence of declared primaryEnv or required.env is an omission that reduces transparency: users should expect to supply DB credentials and should be warned that the code may access local files and the network (CDNs for Plotly/Chart.js).
Persistence & Privilege
always:false and user-invocable:true (defaults) — no elevated persistence is requested. The skill does not declare modifying other skills or system-wide agent settings. Autonomous invocation is allowed by default on the platform but is not an additional red flag here by itself.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install sql-database-toolkit
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /sql-database-toolkit 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
SQL Database Toolkit 1.0.0 - 首次统一发布:整合 sql-master、sql-dataviz、sql-report-generator 三大功能包 - 支持多种数据库(如 SQLite、MySQL、PostgreSQL 等)及本地数据文件(CSV/Excel/JSON/Parquet)接入 - 提供自然语言转 SQL、SQL 执行与优化、富查询结果分析 - 内置 24+ 种静态图表和 12 种交互式图表,可选多种主题(如 Power BI 风格) - 一键生成完整 HTML 报告、KPI 仪表盘,内置 90+ 行业模板 - 支持 AI 洞察:自动异常检测、趋势分析、相关性分析、TOP N 排名等 - 提供端到端统一 Pipeline,支持从数据到洞察、报告的完整流程
元数据
Slug sql-database-toolkit
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

SQL Database Toolkit 是什么?

All-in-one SQL data analysis toolkit supporting database/file connection, SQL query, visualization, AI insights, and report/dashboard generation with templates. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 105 次。

如何安装 SQL Database Toolkit?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install sql-database-toolkit」即可一键安装,无需额外配置。

SQL Database Toolkit 是免费的吗?

是的,SQL Database Toolkit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

SQL Database Toolkit 支持哪些平台?

SQL Database Toolkit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 SQL Database Toolkit?

由 SQLSkills(@sqlskills)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论