ClawHub
Back to skill
v1.0.0

Supabase Security Auditor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 2:48 PM.

Analysis

This is a coherent, instruction-only Supabase security audit skill, with the main caution that it may inspect and surface sensitive Supabase keys from local project files.

GuidanceThis skill appears safe to use for its stated purpose. Before installing or invoking it, be aware that it may read .env and source files to find exposed Supabase keys; ask for secrets to be redacted in any output and review findings before making configuration changes.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
cat supabase/config.toml 2>/dev/null
ls supabase/migrations/ 2>/dev/null | tail -10
grep -rn "createClient\|supabase\." src/ lib/ app/ | head -20

The skill suggests local shell commands to inspect project configuration and source code. These commands are read-only and aligned with the audit purpose, but they still access local files.

User impactThe agent may read parts of your local Supabase project while performing the audit.
RecommendationRun the skill from the intended project root and avoid expanding the commands to unrelated directories.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
grep -rn "SUPABASE_\|supabase\.\(url\|key\|anon\)" .env* src/ | head -10

The skill explicitly searches environment and source files for Supabase keys, including potentially sensitive service_role credentials. This is expected for an API key security audit, but the discovered values may be sensitive.

User impactSupabase service_role keys can bypass RLS, so exposing them in chat output or reports could create account risk.
RecommendationAsk the agent to redact key values, share only file paths and short fingerprints, and do not publish the raw audit output if it contains secrets.