Firebase Auth Setup

This skill's code-free instructions look reasonable for configuring Firebase auth and a Firebase→Supabase sync, but there are important inconsistencies you should resolve before installing or running it: - Confirm required secrets: claw.json declares FIREBASE_PRIVATE_KEY and SUPABASE_SERVICE_ROLE_KEY (highly sensitive). Ask the author why these are required and whether they are mandatory for the skill to run or only needed for optional end-to-end tests. Prefer to provide such keys manually and only in a development environment. - Verify the manifest vs registry metadata: the top-level Requirements showed no required env vars or binaries, but claw.json does. That mismatch could be a packaging error or intentional—get clarification. - Inspect any created API routes before deploying: the SKILL.md will add server-side routes that operate with service credentials. Review those routes for authorization checks, rate limiting, and whether they leak tokens or accept unauthenticated requests. - Follow the Planning Protocol locally and run changes in a feature branch or staging environment. Back up existing auth-related files and test lockout scenarios (middleware changes) on a non-production environment. - If you need higher assurance, request the skill author to provide a minimal proof (diff or example files) showing how credentials are consumed (e.g., using process.env only in server-only code, not client bundles), and whether any remote endpoints are contacted besides Firebase and Supabase. If the author confirms claw.json is accurate and requires the listed creds, treat those as required for full functionality and only supply them in controlled, auditable environments (or create short-lived test credentials). If they cannot justify the sensitive envs or cannot explain the registry/manifest mismatch, do not install the skill.