Supabase
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only Supabase integration is purpose-aligned, but it can access and modify live Supabase data through a Maton API key, so users should grant it carefully.
Install this only if you trust Maton with access to your Supabase project. Use the least-privileged key and connection available, prefer staging for exploration, and carefully approve any write, update, or delete action with narrow filters and a clear expected outcome.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves the wrong operation or broad filters, the agent could modify or delete many records in the connected Supabase project.
The skill exposes high-impact API operations against database tables, auth users, and storage resources. The instructions acknowledge the risk and require approval, making it purpose-aligned but important for users to notice.
All write operations require explicit user approval. Before executing any POST, PATCH, or DELETE call, confirm the target table/resource, filter conditions, and intended effect with the user. DELETE and PATCH without narrow filters can affect many rows.
Confirm the target project, table or resource, filters, and expected effect before approving any POST, PATCH, or DELETE request.
Anyone or any agent action using this key may be able to access connected Supabase database, auth, and storage resources through Maton.
The skill requires a Maton API key that can access connected Supabase resources. This credential requirement is disclosed and aligned with the integration purpose, but it is sensitive authority.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Use a Maton API key with only the access you need, rotate it if exposed, and avoid sharing it in prompts, logs, or files.
Users have less independent visibility into the origin or review history of the instruction set.
The registry metadata does not provide a source repository or provenance beyond the homepage. There are no install scripts or code files, so this is a limited provenance note rather than a concrete code supply-chain concern.
Source: unknown
Prefer installing from publishers and sources you trust, especially for skills that handle credentials or production data.
Sensitive Supabase data and operations may transit through Maton's service when the skill is used.
Supabase requests and responses are routed through the Maton API gateway. This is disclosed and central to the skill's purpose, but it means database, auth, and storage data may pass through a third-party proxy.
Maton proxies requests to your connected Supabase project using these service prefixes: rest/v1, auth/v1, storage/v1
Use this only if you trust Maton with the connected Supabase project data and confirm you are using the intended connection.
A mistaken operation could affect real users, application data, or stored files in the connected Supabase project.
The skill can affect live production data and user/storage state. The artifact clearly warns about this and recommends staging or test projects, so it is a proportional but important operational risk.
Production data scope: Database mutations, auth user changes, and storage operations directly affect the connected project's live data. Prefer staging/test projects for exploratory work.
Use staging or test projects for exploration, and require narrow filters and explicit confirmation before changes to production.