ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Supabase ⚡

v1.0.0

Query Supabase projects - count users, list signups, check stats. Use for database queries and user analytics.

12· 609·0 current·0 all-time
by@joelchance
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Supabase user analytics) align with required env vars (SUPABASE_URL, SUPABASE_SERVICE_KEY), the CLI script, and the documented commands. Requesting a service_role JWT is coherent with the stated need to call the Auth Admin API.
Instruction Scope
SKILL.md and the script are focused on reading data from the user's Supabase project (auth admin endpoints, REST, optional RPC). They read/write only a config file at ~/.supabase_config.json and use only SUPABASE_URL/SUPABASE_SERVICE_KEY. Note: the README/script instruct the user to store the admin key locally (interactive save or env), which is functionally necessary but increases risk if the host is shared.
Install Mechanism
No install spec; instruction-only plus a single Python script. It relies on python3 and the requests package (validated in the script). Nothing is downloaded from external URLs or installed automatically.
Credentials
The skill requires the SUPABASE_SERVICE_KEY (primary credential). This is proportionate for Admin API tasks (listing/counting users) but is a highly privileged secret (service_role JWT). The README recommends the JWT and even urges it; the skill also documents a less-privileged alternative (read-only SQL role). Requiring this credential is justified by the feature set but should be considered sensitive.
Persistence & Privilege
The skill does persist credentials to ~/.supabase_config.json (with chmod 600). always is false and disable-model-invocation is true (agent cannot autonomously invoke the skill), which reduces autonomous blast radius. It does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: query your Supabase project for user analytics and project info. However, it asks for and encourages use of your Supabase service_role JWT (eyJ...) which grants full admin access to your database. Before installing: 1) Only provide this key on a trusted, private machine — avoid shared or CI environments. 2) Prefer using environment variables (not committed config files) or create a least-privilege read-only Postgres role / use the SQL API instead of the service_role key. 3) If you do save credentials to ~/.supabase_config.json, understand the file is persistent on disk (the script sets 600 permissions). 4) The package source has no homepage and an unknown owner — if you don't trust the publisher, review the included script (scripts/supabase.py) yourself (it is small and network calls are only to your Supabase URL). 5) Rotate the key if it may have been exposed. Overall the skill is internally consistent but you must treat the requested service_role key as highly sensitive.

Like a lobster shell, security has layers — review code before you run it.

latestvk972t5g8jm3yam32r7vh1as39581hbbs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binspython3
EnvSUPABASE_URL, SUPABASE_SERVICE_KEY
Primary envSUPABASE_SERVICE_KEY

Comments