ClawHub

Firebase Auth Setup

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Firebase auth setup skill that also clearly teaches Firebase-to-Supabase profile sync, but it relies on powerful server-side credentials that users should handle carefully.

Install only if you actually want Firebase auth plus Supabase profile synchronization. Review generated auth, middleware, custom-claim, and API-route changes before applying them, keep Firebase private keys and Supabase service-role keys out of prompts and client code, and test in staging before production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a Firebase Authentication setup helper, but it also directs the agent to build Firebase-to-Supabase synchronization that uses privileged Supabase access. This expands the capability and trust boundary beyond the stated scope, increasing the chance that a user invokes the skill expecting auth-only changes while the agent also provisions cross-system data writes with elevated privileges.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documented implementation creates a Supabase client with the service-role key inside an API route and uses it to upsert profile records based on a Firebase token. While the route verifies the token, embedding privileged database write patterns in a broadly scoped auth-setup skill is dangerous because service-role keys bypass RLS and grant wide database authority; if this route is later extended, exposed, or reused incorrectly, it can become a high-impact privilege boundary failure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This Firebase Authentication skill requests Supabase environment variables, including a high-privilege service role key, despite the manifest and description not justifying any Supabase integration. Unnecessary secret requirements expand the trust boundary and create a risk that the agent will access or expose unrelated backend credentials during skill execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal