Asi sqlite-scanner
Scan filesystems for SQLite databases by magic-byte detection. Wraps simonw/sqlite-scanner (Go binary via PyPI/uvx). Use for forensic inventory, honeypot canary detection, VM disk auditing, and database cataloging.
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/sqlite-scanner" ~/.claude/skills/plurigrid-asi-sqlite-scanner && rm -rf "$T"
manifest:
skills/sqlite-scanner/SKILL.mdsource content
sqlite-scanner - SQLite Database Filesystem Scanner
Overview
sqlite-scanner wraps Simon Willison's Go CLI tool that identifies SQLite databases by reading the first 16 bytes of every file and comparing against the magic header
SQLite format 3\x00Role: MINUS verifier in triadic consensus — validates filesystem state by detecting hidden/renamed SQLite databases.
Quick Start
# One-shot via uvx (no install needed) uvx sqlite-scanner ~/ # With JSON output and sizes uvx sqlite-scanner --json --size /path/to/scan # Streaming JSONL for pipeline consumption uvx sqlite-scanner --jsonl --size ~/Library ~/Documents
When to Use
- Forensic inventory: Find all SQLite databases on a system regardless of extension
- VM disk auditing: Scan mounted VM disk images for database artifacts
- Honeypot validation: Verify canary SQLite files are planted correctly
- Pre-migration cataloging: Inventory databases before system moves
- Stealer artifact detection: Find browser/app databases in unexpected locations
When NOT to Use
- Querying database contents (use DuckDB or sqlite3)
- Modifying databases (use appropriate write tools)
- Scanning network shares (latency makes magic-byte reads slow)
CLI Reference
| Flag | Default | Description |
|---|---|---|
| | Parallel worker goroutines |
| | Include file size in output |
| | Pretty-printed JSON array |
| | Newline-delimited JSON |
| - | Print version |
Positional args: One or more directories to scan. Defaults to
.Output Formats
Plain text (default)
/Users/bob/Library/Safari/History.db /Users/bob/Library/Messages/chat.db
JSON (--json --size
)
--json --size{"entries": [ {"path": "/Users/bob/Library/Safari/History.db", "size": 1048576}, {"path": "/Users/bob/Library/Messages/chat.db", "size": 524288} ]}
JSONL (--jsonl --size
)
--jsonl --size{"path":"/Users/bob/Library/Safari/History.db","size":1048576} {"path":"/Users/bob/Library/Messages/chat.db","size":524288}
Detection Method
var sqliteMagic = []byte("SQLite format 3\x00") func checkSQLiteMagic(path string) bool { f, _ := os.Open(path) buf := make([]byte, 16) io.ReadFull(f, buf) return bytes.Equal(buf, sqliteMagic) }
Worker-pool pattern:
filepath.WalkDirGF(3) Conservation
sqlite-scanner is assigned trit = -1 (MINUS) for verification role:
Verifier (-1) + Coordinator (0) + Generator (+1) = 0 (mod 3) [sqlite-scanner] [jo-clojure] [hy-regime]
Triad semantics:
- sqlite-scanner detects/validates SQLite presence (MINUS)
- jo-clojure orchestrates scan → query → report pipeline (ERGODIC)
- hy-regime generates analysis reports from discovered databases (PLUS)
Boxxy Activities
scan-host
Scan host filesystem for all SQLite databases.
(sqlite-scanner/scan ["/Users/bob"] {:json true :size true :workers 8})
scan-vm-disk
Mount and scan a VM disk image.
(sqlite-scanner/scan-mounted disk-mount-path {:jsonl true})
canary-audit
Verify honeypot canary databases are in place.
(sqlite-scanner/verify-canaries canary-paths scan-results)
Architecture
- upstream:
(single main.go, ~250 LOC)github.com/simonw/sqlite-scanner - distribution: PyPI wheels via
(8 platform targets)go-to-wheel - invocation:
(zero-install) oruvx sqlite-scannergo install - concurrency: Go worker pool,
default workersruntime.NumCPU() - integration: Joker
activities wrap via.jokejoker.os/exec
References
- Blog post — Distribution pattern
- GitHub — Source
- PyPI — Package
- go-to-wheel — Build tool