Supabase Tool
PassAudited by ClawScan on May 10, 2026.
Overview
This skill transparently generates Supabase curl/SQL command templates and does not store credentials, but users should review generated commands and protect Supabase tokens.
Use this skill if you are comfortable reviewing curl and SQL before running them. Insert your Supabase credentials only in your own terminal, keep tokens private, and be careful with generated raw SQL or insert commands because they can change database data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you copy and run the generated commands, they can query or modify your Supabase database; unusual quoting or untrusted input could also make a shell command behave differently than intended.
The helper generates runnable curl commands using user-supplied SQL, and other commands generate inserts/selects. This is core to the skill, but generated shell snippets should be reviewed before execution.
cmd_query() { local sql="${1:-SELECT version()}" ... -d '{"query": "$sql"}' }Review generated commands before running them, avoid untrusted SQL/table/filter input, and test database-changing commands in a safe environment first.
Anyone who sees or obtains real tokens inserted into these commands may be able to access or manage your Supabase project within that token’s permissions.
Generated commands require Supabase access tokens or anon keys. This is expected for Supabase API use and the script uses placeholders rather than storing credentials.
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Use least-privilege Supabase credentials where possible, keep tokens out of shared chats/logs, and rotate tokens if accidentally exposed.