← 返回 Skills 市场

SQL Query Reviewer

Name: SQL Query Reviewer
Author: lnguyen1996

作者 Lnguyen1996 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

186

总下载

当前安装

版本数

在 OpenClaw 中安装

/install sql-query-reviewer

功能描述

Reviews SQL queries for correctness, security risks, and performance issues; provides a structured report with severity ratings and optimized rewrites.

使用说明 (SKILL.md)

sql-query-reviewer

Description

Review SQL queries across any dialect for correctness, performance, and security. Finds N+1 patterns, missing indexes, injection risks, cartesian joins, and implicit type casts. Returns a structured report with severity ratings and optimized rewrites.

Use when

"optimize this query"
"is this SQL safe"
"why is my query slow"
"check my SQL"
"is this injection-safe"
Any raw SQL query, ORM-generated SQL, or migration file

Supported dialects

PostgreSQL, MySQL, SQLite, SQL Server (T-SQL), Oracle, BigQuery, Snowflake — and any ANSI SQL.

Input

Paste the SQL query or queries. Optionally specify:

Dialect (defaults to generic ANSI SQL)
Approximate table sizes (helps with index advice)
Whether this is in a hot path (e.g., called on every request)
ORM in use (if applicable)

Output format

## SQL Query Review

### Critical (fix before production)
- [Finding] — [why this causes bugs or data loss]
  ✗ Before: [problematic SQL]
  ✓ After:  [corrected SQL]

### Performance (should fix)
- [Finding] — [estimated impact]
  ✗ Before: [slow SQL]
  ✓ After:  [optimized SQL]

### Suggestions (nice to have)
- [Finding] — [explanation]

### What's correct
- [Specific patterns done right]

### Summary
[2–3 sentences: biggest risk, top fix, index recommendations if any]

Review checklist

Correctness

NULL comparison using = instead of IS NULL
NOT IN with a subquery that can return NULLs — always false
UNION instead of UNION ALL when duplicates are acceptable (unnecessary dedup)
Wrong join type: INNER when LEFT needed, or vice versa
Cartesian join (missing ON clause or cross join without intent)
Aggregate without GROUP BY on non-aggregated columns
Incorrect use of HAVING vs WHERE
Date/time arithmetic in wrong timezone

Security

String interpolation into query — SQL injection risk
User-supplied value in ORDER BY, LIMIT, table/column name
Missing parameterisation in dynamic SQL
Overly broad SELECT * that exposes sensitive columns
Missing row-level security filter

Performance

SELECT * when only specific columns needed (excess data transfer)
Missing WHERE clause on large table scan
LIKE '%value%' — can't use index (leading wildcard)
Function applied to indexed column in WHERE — defeats index
N+1: query inside a loop that could be a single JOIN
Missing index on foreign key or frequently filtered column
Subquery that re-executes per row — use CTE or JOIN instead
ORDER BY RAND() or equivalent — full table scan
Unbounded result set with no LIMIT

Style

Inconsistent case (keywords, identifiers)
Ambiguous column reference without table alias
Long query with no CTEs to break it into readable steps
Magic number with no comment explaining it

Severity definitions

Critical: Correctness bug (wrong results), injection risk, or data loss — fix before production
Performance: Causes slow queries, full scans, or poor scalability — fix before release
Suggestion: Readability, maintainability, or defensive coding improvement

Self-improvement instructions

After each review, note the most common finding. After 20 reviews, surface the top 3 SQL anti-patterns seen as "Most common SQL issues" at the top of the response.

安全使用建议

This skill is coherent and appears to do static SQL review only. Before installing: (1) avoid pasting sensitive production data (passwords, full PII) into queries you submit; (2) if you are uncomfortable with the 'self-improvement' behavior, check whether your agent stores review counts or shared memory — the skill's instructions expect the agent to track counts but do not specify where; (3) remember the skill is not connecting to your database — it cannot run queries or validate runtime plans, so provide approximate table sizes or explain hot-path context when you need realistic index advice; (4) prefer using on-prem or vetted tools if you need guaranteed data privacy. Overall this skill is consistent with its stated purpose.

功能分析

Type: OpenClaw Skill Name: sql-query-reviewer Version: 1.0.0 The skill bundle is a standard SQL query review tool designed to analyze queries for performance, security, and correctness. The SKILL.md file contains comprehensive checklists for identifying SQL injection, N+1 patterns, and missing indexes, and it includes a benign self-improvement instruction for the agent to track common anti-patterns over time. There is no evidence of malicious code, data exfiltration, or harmful prompt injection.

能力评估

✓ Purpose & Capability

The name/description (review SQL for correctness, security, performance) matches the SKILL.md instructions. No unrelated environment variables, binaries, or install steps are required. The lack of homepage/source is inconvenient for provenance but does not create an obvious capability mismatch given this is instruction-only.

ℹ Instruction Scope

Instructions focus on static analysis of SQL provided by the user and list specific checks to run. They do not instruct reading system files, environment variables, or contacting external endpoints. One item to note: the 'self-improvement' instruction asks the agent to count findings across reviews and surface top anti-patterns after 20 reviews — that implies maintaining state across runs (agent memory or external storage) but the skill gives no guidance on how/where to persist that data.

✓ Install Mechanism

No install spec and no code files — lowest-risk, instruction-only skill. Nothing is downloaded or written to disk by the skill itself.

✓ Credentials

No environment variables, credentials, or config paths are requested. The checks described (injection patterns, indexes, joins, etc.) are consistent with this lack of external credentials.

ℹ Persistence & Privilege

always:false and no elevated privileges — appropriate. However, the self-improvement instruction implicitly requires persistence of review counts; if the agent implements that by writing to memory or storage, users should be aware that aggregated findings may be retained. The skill itself does not request persistent privileges or system-wide changes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install sql-query-reviewer
安装完成后，直接呼叫该 Skill 的名称或使用 /sql-query-reviewer 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of sql-query-reviewer skill. - Reviews SQL queries for correctness, performance, and security issues across major dialects - Detects common problems: N+1, missing indexes, injection risks, cartesian joins, implicit casts, and more - Returns structured review reports with severity ratings and optimized rewrites - Highlights what’s correct alongside actionable fixes and summary recommendations - Supports PostgreSQL, MySQL, SQLite, SQL Server, Oracle, BigQuery, Snowflake, and ANSI SQL - Learns from usage to surface the top 3 most common SQL issues over time

元数据

Slug sql-query-reviewer

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题