Firebase Auth Setup
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad generated auth or sync change could stop users from signing in or break profile mapping.
The skill itself identifies that authentication middleware and Firebase-Supabase sync changes can affect user access. This is expected for an auth setup skill, but it is high-impact.
Flag: (a) changes to auth middleware that could lock out existing users, (b) sync route changes that could break the Firebase-Supabase user mapping
Review the execution plan and file diffs, test in a staging environment, and keep a rollback path before applying changes to production.
If these keys are pasted into chat, committed to the client bundle, or mishandled in generated code, an attacker could gain elevated access to Firebase or Supabase resources.
The declared environment contract includes powerful server-side Firebase and Supabase credentials. That is coherent with server token verification and profile sync, but these secrets grant significant account/project authority.
"FIREBASE_PRIVATE_KEY", ... "SUPABASE_SERVICE_ROLE_KEY"
Keep these values only in server-side environment storage, do not paste secret values into prompts, verify generated code never exposes them to the browser, and rotate keys if they are accidentally disclosed.
It may be harder to confirm exactly which published version or source repository this skill came from.
The registry metadata and packaged claw.json disagree on version and provenance fields. There is no install script or code execution shown, so this is a provenance note rather than evidence of malicious behavior.
metadata: "Version: 0.1.2" / "Source: unknown" / "Homepage: none"; claw.json: "version": "1.1.0", "homepage": "https://github.com/guifav/openclaw-skills"
Verify the publisher/source before relying on the skill for production auth changes, especially because auth setup is security-sensitive.