ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ecosincronia Supabase

v1.0.1

Connect to Supabase for database operations, vector search, and storage. Use for storing data, running SQL queries, similarity search with pgvector, and mana...

0· 216·1 current·1 all-time
by@ecosincronia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the code: it implements Supabase REST/RPC operations, table management, and pgvector similarity search. However the script depends on utilities (curl, jq) and an OPENAI_API_KEY for embeddings which are not declared in the registry metadata's required envs or required binaries. Those omissions are inconsistent with the stated manifest and should have been declared.
!
Instruction Scope
Runtime instructions and the shell script perform full-database operations (raw SQL via an exec_sql RPC, inserts/updates/deletes), list/describe tables, and perform vector searches. Vector search code sends text to OpenAI's embeddings API (network call to api.openai.com) which transmits user data outside the Supabase project — this is in-scope for vector search but is a privacy/exfiltration consideration and the OpenAI credential requirement is not consistently declared in metadata. The script also assumes availability of jq and curl; SKILL.md/metadata do not require those binaries.
Install Mechanism
There is no install spec (instruction-only plus an included script). No external archives or downloads are performed by the skill itself. This minimizes installer risk, but the included script will be written to disk by the skill bundle.
!
Credentials
The declared required env vars (SUPABASE_URL, SUPABASE_SERVICE_KEY) are expected for server-side management, but SUPABASE_SERVICE_KEY is a service-role key with full access — this is powerful and must be handled carefully. The script also requires OPENAI_API_KEY for embeddings (and potentially other vars like SUPABASE_ANON_KEY/SUPABASE_ACCESS_TOKEN are suggested as optional), but OPENAI_API_KEY is not listed in the registry's required envs metadata. The omission of this sensitive credential from the manifest is a notable inconsistency.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent platform privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
This skill contains a runnable shell script that uses your Supabase service role key and (for vector search) sends text to OpenAI. Before installing: 1) Inspect scripts/supabase.sh yourself (you have the file) to ensure it matches your expectations. 2) Do not supply a production SUPABASE_SERVICE_KEY unless you trust and audit the script — prefer a least-privilege key or a dedicated project. 3) Be aware vector-search will transmit query text to OpenAI (you must provide OPENAI_API_KEY); if that is a privacy concern, disable vector-search or remove that code. 4) Ensure the host has curl and jq available; the script will fail otherwise. 5) If you proceed, run in an isolated environment or with limited credentials and consider adding network controls or logging to monitor outbound calls to api.openai.com. If the publisher can update the manifest to declare OPENAI_API_KEY and the required binaries, that would resolve the main inconsistencies.

Like a lobster shell, security has layers — review code before you run it.

latestvk973nqay2zpedmbcs3x7ftzp3582mc1g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSUPABASE_URL, SUPABASE_SERVICE_KEY

Comments