Supabase Ops
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Supabase operations skill, but it can use admin Supabase credentials and run database or edge-function deployment commands that may change production systems.
Install only if you are comfortable letting the agent modify Supabase migrations, generated types, edge functions, and potentially production databases. Before using it, confirm the target project, keep service-role keys protected, require explicit approval for every production apply or deployment, and test migrations in local or staging environments first.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad command could change a production database schema, alter RLS behavior, deploy edge-function code, or cause data loss.
The skill is designed to run CLI commands that can alter databases, including production targets. It has safeguards, but the production workflow does not consistently state that explicit user approval is required before every apply or deployment.
Execute operations autonomously in the dev environment. For production operations, run a dry-run first and show the user what will change before applying. ... Run `npx supabase db push --db-url <prod-url>` for production.
Require explicit user confirmation before any production database push or edge-function deployment, and require backups or rollback plans for destructive changes.
If used against the wrong project or exposed in logs, shell history, or generated files, this credential could allow broad access to Supabase resources.
The service-role key is expected for some Supabase admin operations, but it is a powerful credential that can bypass normal application-level access controls.
`SUPABASE_SERVICE_ROLE_KEY` (for edge function deployment and admin operations via `npx supabase`).
Use the least-privileged credentials possible, keep service-role keys out of source files and logs, and verify the target Supabase project before running commands.
Behavior may depend on the user's installed Supabase CLI, npx package resolution, git configuration, or the external dependency.
The skill depends on external runtime tooling and another skill, while the provided package itself contains only instructions. This is purpose-aligned, but the reviewed artifacts do not pin or inspect those external components.
"skillDependencies": { "requires": ["stack-scaffold"] }, ... "bins": ["npx", "git"]Prefer a pinned Supabase CLI version in the project, review the external skill dependency, and run commands first in a disposable or staging environment.