Security Audit

database-query

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

database-query received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include SQL Injection via string concatenation in search_users, SQL Injection via string concatenation in get_user_by_id.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

40%

Behavioral Risk Signals

Shell Execution

2 findings

Dynamic Code

2 findings

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	SQL Injection via string concatenation in search_users The `search_users` function constructs an SQL query by directly concatenating user-controlled input (`search_term` and `table_name`) into the SQL string. This allows for SQL injection attacks, where an attacker can manipulate the query to access, modify, or delete unauthorized data, or even execute arbitrary database commands. The code explicitly notes 'CRITICAL: SQL injection via string concatenation'. Use parameterized queries or prepared statements to separate SQL logic from user input. For `sqlite3`, use question mark (?) or named parameters (:param_name) placeholders and pass values as a tuple to `cursor.execute()`.	LLM	query.py:29
CRITICAL	SQL Injection via string concatenation in get_user_by_id The `get_user_by_id` function constructs an SQL query by directly concatenating user-controlled input (`user_id`) into the SQL string. This allows for SQL injection attacks, where an attacker can manipulate the query to access, modify, or delete unauthorized data, or even execute arbitrary database commands. The code explicitly notes 'CRITICAL: SQL injection'. Use parameterized queries or prepared statements to separate SQL logic from user input. For `sqlite3`, use question mark (?) or named parameters (:param_name) placeholders and pass values as a tuple to `cursor.execute()`.	LLM	query.py:39

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0a73932029406406.svg)](https://skillshield.io/report/0a73932029406406)