ClawHub

lead-generating

v1.0.0

Automate lead capture and tracking with Supabase storage and Make.com email workflows, managing conversations from new to qualified status.

4· 2.4k·0 current·0 all-time
by@big-roman123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, README, SKILL.md, skill.json and the TypeScript code all implement lead capture, conversation logging, status updates and automation checks against a Supabase backend. The claimed capabilities align with the code and schemas.
!
Instruction Scope
Runtime instructions ask operators to use the Supabase Service Role Key (SKILL.md / README) which grants full DB privileges and bypasses row-level security — broader scope than a typical per-org agent integration needs. Otherwise instructions stay within lead/automation scope and do not request arbitrary file or system reads.
Install Mechanism
This is an instruction-only skill with a code file and package.json. There is no download-from-arbitrary-URL or installer; standard npm dependency (@supabase/supabase-js) is declared. No extract-from-URL installs or suspicious binaries were found.
!
Credentials
The skill requires Supabase connection info (supabaseUrl, supabaseKey, orgId) in its config. The SKILL.md and README explicitly instruct using the Service Role Key rather than an anon key — that key is a full-access secret (SECRET-like) and is disproportionate compared to the function (which could be implemented with anon key + RLS or a limited server-side token).
Persistence & Privilege
The skill is not always-enabled, does not request system-wide config changes, and its hooks are simple echo statements. It does not declare elevated platform privileges beyond normal runtime execution.
What to consider before installing
This skill appears to do what it says (lead capture, storing conversations, triggering automations) but it asks you to provide a Supabase Service Role Key — a full-access credential that bypasses Supabase row-level security and can read/write any table. Before installing, consider: - Avoid giving the agent the Service Role Key unless the skill runs in a trusted, server-side environment you control. Prefer using an Anon/public key with properly configured RLS policies, or a narrowly scoped server-side token that only allows the required inserts/queries. - Ask the skill author why the Service Role Key is required and whether the skill can work with RLS or a restricted API key. - Verify where the key will be stored by your platform (is it encrypted/secret-scoped?) and whether the agent runtime could leak it to logs or remote endpoints. - Review and/or run the code in a staging environment to confirm the skill only accesses the declared Supabase tables and does not call unexpected external endpoints. There are references to Make.com/Resend in docs, but no hardcoded webhook URLs in the code — you will need to configure those automations yourself. - Rotate the key after testing and monitor Supabase logs for unexpected queries. If you cannot host the skill in a trusted server-side environment or cannot supply a narrowly scoped credential, treat this skill as unsafe to run with a Service Role Key.

Like a lobster shell, security has layers — review code before you run it.

latestvk978mzsdvg2fx0hmhma3kktjkn8016pb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments