Supabase Complete Documentation
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lb-supabase-skill Version: 0.1.0 The skill bundle is classified as **suspicious**. The primary indicators are the presence of documentation and example code that demonstrate the use of highly privileged API keys (`SUPABASE_SERVICE_ROLE_KEY`) and the execution of powerful operations (direct database access, external API calls) within automated contexts like Edge Functions and GitHub Actions. Specifically, `references/guides/ai/automatic-embeddings.mdx`, `references/guides/ai/examples/headless-vector-search.mdx`, `references/guides/ai/examples/huggingface-image-captioning.mdx`, `references/guides/ai/examples/mixpeek-video-search.mdx`, `references/guides/ai/examples/nextjs-vector-search.mdx`, `references/guides/ai/examples/openai.mdx`, `references/guides/ai/examples/semantic-image-search-amazon-titan.mdx`, `references/guides/ai/hugging-face.mdx`, `references/guides/ai/hybrid-search.mdx`, `references/guides/ai/integrations/amazon-bedrock.mdx`, `references/guides/ai/integrations/llamaindex.mdx`, `references/guides/ai/integrations/roboflow.mdx`, and `references/guides/ai/langchain.mdx` contain code snippets or instructions for users to configure systems that leverage `SUPABASE_SERVICE_ROLE_KEY` (which bypasses Row Level Security) or make external network calls to AI providers
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user runs examples without checking them, they could create projects, change databases, or incur usage costs.
The documentation includes command examples that can create or modify Supabase resources if a user chooses to run them.
curl -X POST https://api.supabase.com/v1/projects ... "db_pass": "<your-secure-password>"
Treat commands and SQL as reference material; require explicit user approval and review target project, organization, and environment before execution.
Mishandling these tokens or keys could expose Supabase project administration or service-role access.
The docs show use of a Supabase account access token to reveal project API keys, which is expected documentation but involves high-privilege credentials.
curl -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" ... "https://api.supabase.com/v1/projects/$PROJECT_REF/api-keys?reveal=true"
Use least-privilege tokens, avoid pasting secrets into shared chats, and confirm any key-revealing or service-role operation with the user first.
Adding this configuration could give an MCP-capable agent access to the connected database according to the connection string's privileges.
The documentation shows configuring an MCP Postgres server with a database connection string, which can expose database access to an agent workflow if the user installs it.
"command": "npx", "args": ["-y", "@modelcontextprotocol/server-postgres", "<connection-string>"]
Only configure MCP database access for trusted agents, use a scoped database role, and avoid using production or superuser credentials.
Users have less registry-level provenance for confirming that the bundled docs exactly match official Supabase documentation.
The registry metadata does not provide a verifiable source or homepage, although the README claims the docs were extracted from the Supabase GitHub repository.
Source: unknown; Homepage: none
For security-sensitive guidance, compare examples against the official Supabase documentation or repository before applying them.