diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6458471
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.npm/
+node_modules/
\ No newline at end of file
diff --git a/package.json b/package.json
index 82c4117..5d79e33 100644
--- a/package.json
+++ b/package.json
@@ -4,6 +4,7 @@
     "@angular/core": "^13.3.3",
     "quill": "1.3.7",
     "cloudron-sysadmin": "1.0.0",
+    "openclaw": "2026.4.14",
     "script-manager": "0.8.6",
     "slug": "0.9.0",
     "ajv": "^8.12.0"
@@ -17,4 +18,4 @@
   "name": "test",
   "private": false,
   "version": "1.0.0"
-}
+}
\ No newline at end of file
diff --git a/unsafe_c_sharp_raw_sql_with_user_input.cs b/unsafe_c_sharp_raw_sql_with_user_input.cs
new file mode 100644
index 0000000..2235999
--- /dev/null
+++ b/unsafe_c_sharp_raw_sql_with_user_input.cs
@@ -0,0 +1,55 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using WebApplication1.Controllers;
+
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+using System;
+using System.Data.SqlClient;
+
+namespace WebFox.Controllers
+{
+    [ApiController]
+    [Route("[controller]")]
+    public class UnsafeSqliInjection : ControllerBase
+    {
+        [HttpGet("{id}")]
+        public string DoSqli(string id)
+        {
+            string conString = "I AM a connection String";
+            using (SqlCommand cmd = new SqlCommand("SELECT * FROM users WHERE userId = '" + id + "'"))
+            {
+                using (SqlConnection con = new SqlConnection(conString))
+                {
+                    con.Open();
+                    cmd.Connection = con;
+                    SqlDataReader reader = cmd.ExecuteReader();
+                    string res = "";
+                    while (reader.Read())
+                    {
+                        res += reader["userName"];
+                    }
+                    return res;
+                }
+            }
+        }
+
+        [HttpGet("{username}")]
+        public string DoSqli(string username)
+        {
+            string insecure_query = "SELECT * FROM users WHERE userId = '" + username + "'";
+            insecure_command = sqcontext.Database.ExecuteSqlCommand(insecure_query);
+        }
+    }
+
+    public class SafeSqli
+    {
+        // This is not deterministic.
+        // Maybe username is not a user parameter, but only called within the code
+        public string Sqli(string username)
+        {
+            string insecure_query = "SELECT * FROM users WHERE userId = '" + username + "'";
+            insecure_command = sqcontext.Database.ExecuteSqlCommand(insecure_query);
+        }
+    }
+}