Firebase Auth Setup
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is aligned with setting up Firebase authentication, but it touches security-critical auth code and references powerful Firebase/Supabase server credentials that users should handle carefully.
This looks reasonable for a Firebase Auth setup skill, but use it with care: review every generated auth/middleware/API-route diff, test outside production first, keep service-role and private-key secrets server-side only, and verify the package provenance because the registry metadata and claw.json do not fully match.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad generated auth or sync change could stop users from signing in or break profile mapping.
The skill itself identifies that authentication middleware and Firebase-Supabase sync changes can affect user access. This is expected for an auth setup skill, but it is high-impact.
Flag: (a) changes to auth middleware that could lock out existing users, (b) sync route changes that could break the Firebase-Supabase user mapping
Review the execution plan and file diffs, test in a staging environment, and keep a rollback path before applying changes to production.
If these keys are pasted into chat, committed to the client bundle, or mishandled in generated code, an attacker could gain elevated access to Firebase or Supabase resources.
The declared environment contract includes powerful server-side Firebase and Supabase credentials. That is coherent with server token verification and profile sync, but these secrets grant significant account/project authority.
"FIREBASE_PRIVATE_KEY", ... "SUPABASE_SERVICE_ROLE_KEY"
Keep these values only in server-side environment storage, do not paste secret values into prompts, verify generated code never exposes them to the browser, and rotate keys if they are accidentally disclosed.
It may be harder to confirm exactly which published version or source repository this skill came from.
The registry metadata and packaged claw.json disagree on version and provenance fields. There is no install script or code execution shown, so this is a provenance note rather than evidence of malicious behavior.
metadata: "Version: 0.1.2" / "Source: unknown" / "Homepage: none"; claw.json: "version": "1.1.0", "homepage": "https://github.com/guifav/openclaw-skills"
Verify the publisher/source before relying on the skill for production auth changes, especially because auth setup is security-sensitive.