发现优质的 AI Agent 技能

来自 openclaw/skills 技能

来自 openclaw/skills 技能

Master relational databases from the command line. Covers SQLite, PostgreSQL, MySQL, and SQL Server with battle-tested patterns for schema design, querying, migrations, and operations.

- `where("email = '#{params[:email]}'")` — SQL injection, use `where(email: params[:email])` - `Model.new(params[:model])` without permit — mass assignment even with strong params - `skip_forgery_protection` on API — still needed if session-based auth - `html_safe` on user input — stored XSS, escape first then mark safe - `send(params[:method])` — arbitrary method call, whitelist allowed methods

- SQL injection — use prepared statements, NEVER concatenate user input - XSS — `htmlspecialchars($input, ENT_QUOTES, 'UTF-8')` on all output - CSRF — verify token on state-changing requests - File upload — check MIME type, extension, AND magic bytes - `include($userInput)` — remote file inclusion, validate path strictly

- READ UNCOMMITTED - READ COMMITTED - REPEATABLE READ (default) - SERIALIZABLE

- Default index type - Good for equality and range queries - Leftmost prefix rule applies

来自 openclaw/skills 技能

- Mixing sync database drivers (psycopg2, PyMySQL) in async endpoints blocks the event loop — use async drivers (asyncpg, aiomysql) or run sync code in `run_in_executor` - `time.sleep()` in async endpoints blocks everything — use `await asyncio.sleep()` instead - CPU-bound work in async endpoints starves other requests — offload to `ProcessPoolExecutor` or background workers - Async endpoints calling sync functions that do I/O still block — the entire call chain must be async

- `|safe` filter disables escaping — XSS if content is user input - `mark_safe()` trusts content — never use on user data - `@csrf_exempt` removes protection — use only with other auth (API keys) - `.extra()` / `.raw()` — SQL injection if interpolating user input - `DEBUG=True` in production — exposes settings, paths, SQL queries

- Iterating QuerySet twice hits DB twice — `list(qs)` to cache - `exists()` vs `bool(qs)` — bool fetches all rows, exists() is O(1) - `count()` vs `len(qs)` — len() fetches all, count() uses SQL COUNT - No `select_related` in loop = N+1 — one query per FK access - `prefetch_related` after filter — invalidates cache, N+1 returns

- **Stripe/Paddle:** MRR, churn, LTV, subscriptions via API - **Analytics:** Mixpanel, Amplitude, PostHog, Google Analytics - **CRM:** HubSpot, Pipedrive for sales pipeline - **Custom DB:** Direct PostgreSQL/MySQL queries for user data