📦 EdgeIQ

v1.0.0

Scans web app parameters for SQL injection vulnerabilities using boolean, time-based, and UNION SELECT techniques with optional JSON reporting.

0· 0·0 当前·0 累计

by @snipercat69

下载技能包

最后更新

2026/4/24

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

The skill is broadly what it says (an active SQLi scanner) but the runtime code expects undeclared license env/files and contains an odd hardcoded email-based license fallback — these inconsistencies and the fact it will actively probe remote sites make it worth further review before installing or running.

评估建议

This package appears to implement an active SQL injection scanner as advertised, but you should be cautious before installing or running it. Key points to consider: - Active scanning risk: The tool will send many crafted HTTP requests to targets. Only run it against systems you own or have explicit written permission to test. Unauthorized scanning is illegal and can trigger intrusion detection. - Undeclared env vars and license backdoor: The skill and code expect EDGEIQ_EMAIL and EDGEIQ_LICENSE...

详细分析 ▾

✓ 用途与能力

Name, description, SKILL.md, README, and the included Python scanner code are consistent: the package implements boolean, time-based, and UNION SELECT SQL injection checks and JSON reporting as described.

ℹ 指令范围

SKILL.md instructs running sql_scanner.py against target URLs (and optionally setting EDGEIQ_EMAIL). The tool performs active HTTP requests to targets (expected for a scanner). SKILL.md warns about legality, which is appropriate. Note: the instructions suggest Discord commands but there is no Discord integration code — that's just an example usage channel.

✓ 安装机制

No install spec or remote downloads; code files are included with the skill. No archive downloads or execution of externally fetched code were observed in the provided files.

⚠ 凭证需求

Registry metadata declares no required env vars, but SKILL.md and the code use EDGEIQ_EMAIL and EDGEIQ_LICENSE_KEY and read ~/.edgeiq/license.key and stripe_licenses.json. The code grants full Pro/Bundle access if EDGEIQ_EMAIL is a specific hardcoded address (gpalmieri21@gmail.com). Undeclared env vars and a hardcoded email-based licensing fallback are surprising and disproportionate to the scanner's purpose.

✓ 持久化与权限

Skill does not request always:true, does not modify other skills, and only reads (not writes) a user license path in the home directory. No evidence of persistent system-wide changes.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/4/24

Initial release: boolean blind, time-based blind, UNION SELECT detection, auto-parameter scanning.

● 无害

安装命令

点击复制

官方npx clawhub@latest install edgeiq-sql-injection-scanner

镜像加速npx clawhub@latest install edgeiq-sql-injection-scanner --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库