// Static lint for sqlc-style SQL catalogs. Catches duplicate query names, missing semicolons, SELECT *, double-wildcard LIKE, and other cheap-but-easy-to-miss mistakes. Optional sqlfluff integration for full style coverage.
Migrate a TypeScript codebase to MoonBit on the `js` target while keeping the same JavaScript API contract, using mizchi/js (JS/Web/Node bindings), mizchi/x (cross-target async backend: process/fs/http/ws), and mizchi/npm_typed (npm bindings). Use when porting a TS library, Node service, npm package, or Cloudflare Worker to MoonBit and the existing JS/TS consumers, `.d.ts`, and tests must keep working unchanged.
Index coverage and N+1 review aids for SQLite/D1 schemas with a sqlc catalog. Surfaces unused indexes (with FK CASCADE awareness so cascade-load-bearing indexes are not flagged), queries that scan tables without index help, and `for`-loops calling generated SQL fns.
SQL injection screening for host code (MoonBit / TS / Rust) plus secretlint setup notes. Flags single-line template-literal or string-concat SQL builders, regardless of value source — the scanner is line-based and does NOT trace data flow, so a clean scan is not proof of safety (multi-line template literals are missed) and every hit needs a manual review or an explicit `// sql-security: ok` opt-out.
Deploy applications and infrastructure to Cloudflare using Workers, Pages, and related platform services. Use when the user asks to deploy, host, publish, or set up a project on Cloudflare.
Use ONLY when the user explicitly asks to discover or evaluate a skill from OUTSIDE the curated catalog — e.g., "find a Stripe skill", "is there a skill for X?", "evaluate this candidate before adopting". Meta-skill, complementary to skill-selector: do NOT auto-invoke on routine apm-management, project-init, or catalog-resident requests. Cross-source survey across vetted registries (Anthropic official, claude-skill-registry, VoltAgent/awesome-agent-skills, ComposioHQ, Superpowers, GitHub topic) with a mandatory waxa-eval adoption gate.
Meta-skill for picking project skills via APM. Invoke ONLY when the user explicitly asks to set up apm.yml, choose which skills a project needs, or evaluate a catalog match — do NOT auto-invoke on routine project-init or apm-management tasks. Two-phase: pick from a curated catalog first; only escalate to broader search/evaluation when the catalog has no fit. Avoids the failure mode of impulse-installing skills you never use or hand-searching GitHub when a vetted answer already exists.
| name | sql-lint |
| description | Static lint for sqlc-style SQL catalogs. Catches duplicate query names, missing semicolons, SELECT *, double-wildcard LIKE, and other cheap-but-easy-to-miss mistakes. Optional sqlfluff integration for full style coverage. |
| version | 0.1.0 |
| metadata | {"hermes":{"tags":["sql","sqlite","d1","dba","lint","sqlc"],"related_skills":["sql-plan-audit","sql-schema-audit","sql-security"],"engines":["sqlite","postgres","mysql"]}} |
Use this when a project has a SQL catalog (-- name: X :type comments or any named-query convention) and wants to enforce basic hygiene without adopting a heavy SQL linter.
This skill ships two linters, with different cost / coverage trade-offs.
scripts/catalog-lint.mjs is a Node 20+ script with no dependencies. It catches:
-- name: X header. Some codegens silently shadow; others break.;. sqlc rejects these at build time, but catalog-lint surfaces them in fmt-time.-- name: line that doesn't match name: X :type.SELECT * (always over-fetch).LIKE '%...%' (full-table scan risk).Run (this is the default first pass — start here before reaching for sqlfluff):
# `scripts/` is relative to THIS skill's directory. From elsewhere, use the
# absolute path, e.g. node "$CLAUDE_SKILLS_DIR/sql-lint/scripts/catalog-lint.mjs".
node scripts/catalog-lint.mjs your-project/db/queries.sql
echo "exit=$?" # 0 = clean, 1 = findings — the exit code IS the pass/fail signal
Exits 0 on clean / 1 on findings. Output is file:line: [rule] message, parseable by editor diagnostic gutters. Note: for select-star and double-wildcard-like, the reported line is the query's -- name: header, not the offending SQL line.
For full style coverage — keyword case, indentation, alias names, etc. — use sqlfluff. The skill ships .sqlfluff tuned for SQLite/D1 + sqlc catalogs:
uvx sqlfluff lint --config .sqlfluff your-project/db/queries.sql
uvx (from astral.sh/uv) runs sqlfluff in an ephemeral venv; nothing is installed permanently. If uv is missing, fall back to pip install sqlfluff or pipx install sqlfluff.
The shipped config disables a few sqlfluff rules:
AM04 (SELECT *) is handled by catalog-lint with better context.CP02 (column case) is too noisy on JSON path references like obj.field_name.L009 (trailing newline) is enforced by git.This skill does not police inline SQL in MoonBit / Rust / Go / etc. — ast-grep is the right tool there, but it requires per-language tree-sitter support. For host languages without a tree-sitter grammar (e.g. MoonBit), a text-grep baseline file (.linters/inline-sql-baseline.json) works: count .prepare( occurrences per file and refuse increases.
The companion sql-security skill documents the same approach for SQL injection.
sql-lint:
node scripts/catalog-lint.mjs db/queries.sql
For full sqlfluff in CI, run a separate sql-lint-style step so the cheap catalog-lint can fail fast.
catalog-lint.mjs is engine-agnostic — the rules look at SQL comments, semicolons, and basic patterns. Adapt to MySQL / Postgres by changing the sqlfluff dialect = sqlite line in .sqlfluff.
scripts/catalog-lint.mjs.uv / pipx / pip for sqlfluff.scripts/catalog-lint.mjs — zero-dep catalog linter..sqlfluff — opt-in sqlfluff config (SQLite dialect; change dialect = ... for other engines).