Is data-analyst safe?

https://clawhub.ai/oyi77/data-analyst

68
CAUTION

This data analyst skill is primarily an educational reference document with SQL templates and analysis patterns. However, it includes shell scripts that execute arbitrary SQL without sanitization (query.sh) and an init script that writes files outside the skill directory. Most critically, the installation environment accessed sensitive credential files (.env, .aws/credentials, auth-profiles.json) during setup, though no outbound network exfiltration was detected.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Sensitive credential files accessed during install -40

The skill's installation/runtime environment accessed .env, .aws/credentials, and auth-profiles.json. While this may be OpenClaw runtime behavior rather than skill-specific code, the skill triggered an execution context that reads secrets.

HIGH Shell scripts execute arbitrary SQL without sanitization -25

query.sh passes user-supplied strings directly to sqlite3, psql, and mysql CLI tools without any input validation, escaping, or parameterization. This creates SQL injection and potential shell injection vectors.

MEDIUM data-init.sh writes files outside skill directory -10

The initialization script creates directories and files under ~/.openclaw/workspace/data-analysis/, including an executable Python script. This modifies the user's home directory structure outside the skill's own directory.

MEDIUM Skill normalizes broad agent capabilities -20

The skill instructs agents to execute SQL against live databases, run shell scripts, create files, and process data with Python. This significantly expands the agent's default capabilities and attack surface even though each individual action appears benign.

MEDIUM SQL UPDATE/DELETE in documentation could be agent-executed -15

The SKILL.md contains executable SQL including UPDATE and DELETE-adjacent patterns in the data cleaning section. An agent interpreting these as instructions rather than documentation could modify live database records.

LOW Temporary files and gateway lock created during install -5

The installation process created /tmp/openclaw-1000/gateway.e9191928.lock and multiple jiti transpilation cache files, suggesting runtime initialization beyond simple file copy.

INFO Referenced scripts do not exist in repository -5

SKILL.md references analyze.py, extract_data.py, and format_report.py as usable scripts, but these files are not included in the skill. Only data-init.sh and query.sh are present.