中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:17 hr ago Rescan
5 /100
lucid-skill
AI-native data analysis skill. Connect Excel/CSV/MySQL/PostgreSQL, understand business semantics, query with natural language.
Legitimate AI-native data analysis skill with proper security controls including SQL safety whitelisting, credential stripping, and read-only query enforcement.
Skill Namelucid-skill
Duration64.5s
Enginepi
Safe to install
This skill is safe to use. No security concerns identified.

Findings 1 items

Severity Finding Location
Low
Loose dependency version constraints Supply Chain
pyproject.toml specifies minimum versions (duckdb>=1.0, click>=8.0) rather than exact pins. This is standard Python practice and does not pose significant risk.
dependencies = ["duckdb>=1.0", "click>=8.0", ...]
→ Optional: Pin exact versions for reproducible builds. Current approach is acceptable.
 pyproject.toml:18
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned User-provided CSV/Excel files only, stored in ~/.lucid-skill/
Network READ READ ✓ Aligned Downloads ~460MB embedding model from HuggingFace (declared in SKILL.md)
Shell NONE NONE No subprocess or os.system calls found
Environment READ READ ✓ Aligned Reads LUCID_DATA_DIR and LUCID_EMBEDDING_ENABLED only
Skill Invoke ADMIN ADMIN ✓ Aligned Full MCP tool access (connect, query, search, etc.)
Database READ READ ✓ Aligned MySQL/PostgreSQL connections for schema discovery and SELECT queries only

File Tree

63 files · 227.2 KB · 6647 lines
Python 45f · 5544L Markdown 7f · 791L CSV 9f · 191L YAML 1f · 89L TOML 1f · 32L
├─ 📁 lucid_skill
│ ├─ 📁 catalog
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 profiler.py Python 54L · 1.4 KB
│ │ ├─ 🐍 schema.py Python 55L · 1.6 KB
│ │ └─ 🐍 store.py Python 489L · 18.0 KB
│ ├─ 📁 connectors
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 base.py Python 28L · 630 B
│ │ ├─ 🐍 csv_conn.py Python 105L · 3.7 KB
│ │ ├─ 🐍 excel_conn.py Python 108L · 3.9 KB
│ │ ├─ 🐍 mysql_conn.py Python 144L · 5.1 KB
│ │ └─ 🐍 postgres_conn.py Python 162L · 5.9 KB
│ ├─ 📁 discovery
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 domains.py Python 443L · 13.0 KB
│ │ └─ 🐍 joins.py Python 511L · 19.7 KB
│ ├─ 📁 query
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 engine.py Python 67L · 2.0 KB
│ │ ├─ 🐍 formatter.py Python 74L · 1.9 KB
│ │ ├─ 🐍 router.py Python 100L · 3.7 KB
│ │ └─ 🐍 safety.py Python 43L · 1.6 KB
│ ├─ 📁 semantic
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 embedder.py Python 104L · 3.4 KB
│ │ ├─ 🐍 hybrid.py Python 90L · 3.0 KB
│ │ ├─ 🐍 index.py Python 141L · 5.1 KB
│ │ ├─ 🐍 layer.py Python 139L · 4.6 KB
│ │ └─ 🐍 search.py Python 34L · 1.0 KB
│ ├─ 📁 tools
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ ├─ 🐍 connect.py Python 91L · 2.6 KB
│ │ ├─ 🐍 describe.py Python 91L · 3.0 KB
│ │ ├─ 🐍 discovery.py Python 216L · 7.3 KB
│ │ ├─ 🐍 overview.py Python 52L · 1.5 KB
│ │ ├─ 🐍 profile.py Python 94L · 3.2 KB
│ │ ├─ 🐍 query.py Python 42L · 1.2 KB
│ │ ├─ 🐍 search.py Python 137L · 4.6 KB
│ │ └─ 🐍 semantic.py Python 230L · 7.9 KB
│ ├─ 🐍 __init__.py Python 1L · 22 B
│ ├─ 🐍 __main__.py Python 3L · 41 B
│ ├─ 🐍 cli.py Python 459L · 15.6 KB
│ ├─ 🐍 config.py Python 93L · 2.5 KB
│ ├─ 🐍 server.py Python 445L · 20.7 KB
│ ├─ 🐍 startup.py Python 107L · 3.6 KB
│ └─ 🐍 types.py Python 230L · 4.0 KB
├─ 📁 references
│ ├─ 📝 commands.md Markdown 212L · 4.2 KB
│ ├─ 📝 json-schema.md Markdown 116L · 3.4 KB
│ └─ 📝 workflow.md Markdown 127L · 3.5 KB
├─ 📁 semantic_store
│ └─ 📁 csv_orders_csv
│ └─ 📋 orders.yaml YAML 89L · 1.9 KB
├─ 📁 tests
│ ├─ 📁 datasets
│ │ ├─ 📁 cross-source-a
│ │ │ └─ 📄 shop_orders.csv CSV 6L · 184 B
│ │ ├─ 📁 cross-source-b
│ │ │ └─ 📄 shop_customers.csv CSV 6L · 242 B
│ │ ├─ 📁 ecommerce
│ │ │ ├─ 📄 customers.csv CSV 16L · 1.3 KB
│ │ │ ├─ 📄 order_items.csv CSV 54L · 2.4 KB
│ │ │ ├─ 📄 orders.csv CSV 31L · 2.3 KB
│ │ │ └─ 📄 products.csv CSV 21L · 1.4 KB
│ │ ├─ 📁 hr
│ │ │ ├─ 📄 departments.csv CSV 13L · 593 B
│ │ │ └─ 📄 employees.csv CSV 31L · 2.4 KB
│ │ ├─ 📁 superstore
│ │ │ └─ 📄 orders.csv CSV 13L · 1.6 KB
│ │ └─ 📝 README.md Markdown 61L · 2.1 KB
│ ├─ 🐍 test_catalog.py Python 109L · 3.5 KB
│ ├─ 🐍 test_config.py Python 19L · 560 B
│ ├─ 🐍 test_csv_connect.py Python 93L · 3.2 KB
│ ├─ 🐍 test_engine.py Python 77L · 2.2 KB
│ └─ 🐍 test_safety.py Python 64L · 1.7 KB
├─ 📝 CLAUDE.md Markdown 63L · 3.5 KB
├─ 📄 pyproject.toml TOML 32L · 802 B
├─ 📝 README.md Markdown 119L · 3.1 KB
└─ 📝 SKILL.md Markdown 93L · 4.2 KB

Dependencies 7 items

PackageVersionSourceKnown VulnsNotes
duckdb >=1.0 pip No Minimum version specified
click >=8.0 pip No Minimum version specified
pyyaml >=6.0 pip No Minimum version specified
mcp >=1.0 pip No Minimum version specified
psycopg2-binary unpinned pip[db] No Optional dependency
mysql-connector-python unpinned pip[db] No Optional dependency
sentence-transformers unpinned pip[embedding] No Optional dependency

Security Positives

✓ SQL safety checker uses whitelist approach - only SELECT/WITH allowed
✓ Credentials explicitly stripped before persistence (store.py:upsert_source)
✓ No shell execution or subprocess calls found
✓ No credential harvesting or exfiltration to external IPs
✓ No obfuscation or base64-encoded payloads
✓ Read-only queries enforced - INSERT/UPDATE/DELETE/DROP blocked
✓ Comprehensive test coverage for safety checker
✓ MIT licensed open source with transparent implementation
✓ DuckDB used for both catalog storage and query engine (sandboxed)