ClawHub

Supabase

v1.0.0

Connect to Supabase for database operations, vector search, and storage. Use for storing data, running SQL queries, similarity search with pgvector, and managing tables. Triggers on requests involving databases, vector stores, embeddings, or Supabase specifically.

17· 7k·63 current·65 all-time
byLucas Synnott@lucassynnott
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the implementation: the script performs SQL, table management, REST operations, and pgvector similarity search against a Supabase project. Requiring a SUPABASE_SERVICE_KEY (full access service role) is coherent for management tasks. However the skill does not declare the OpenAI API key that the script requires for embeddings, and it does not declare command-line dependencies used by the script (curl, jq). The primary credential field is empty even though SUPABASE_SERVICE_KEY is effectively the main secret.
!
Instruction Scope
SKILL.md and the bundled script instruct the agent to run arbitrary SQL (via an exec_sql RPC if present) and to send text to the OpenAI embeddings API for vector search. That means user data and DB contents can be transmitted to external endpoints (api.openai.com) and arbitrary SQL could be executed if the exec_sql function exists. The instructions expect OPENAI_API_KEY (used in the script) but this env var is not listed in the declared requirements. The script also assumes presence of jq and curl but the skill metadata doesn't declare these binaries.
Install Mechanism
No install spec — instruction-only plus a shell script shipped in the skill. No external downloads or archive extraction are performed by the skill. This keeps disk-write/install risk low. The script will run network calls, but there is no installer fetching arbitrary code from outside.
!
Credentials
The skill requires SUPABASE_SERVICE_KEY (a full-access service role key) which is powerful but relevant for management operations; however this should be called out as high-privilege. The script also requires OPENAI_API_KEY for embeddings (and will send content to OpenAI), but OPENAI_API_KEY is not listed in requires.env. Several required runtime dependencies (jq, curl) are implicit. No primary credential is declared even though SUPABASE_SERVICE_KEY is the main secret. Requesting a full service key without explicit least-privilege guidance is disproportionate if users expect only read/search operations.
Persistence & Privilege
The skill is not marked always:true and does not request persistent elevation or modification of other skills. It will run only when invoked and does not attempt to modify system-wide agent settings according to the provided files.
What to consider before installing
This skill appears to implement a legitimate Supabase CLI, but there are a few risks and omissions you should consider before installing: - SUPABASE_SERVICE_KEY is a service-role key (full DB access). Only provide this to code you fully trust; prefer a least-privilege key or a scoped service role if possible. Do not use a production master/service key in an environment you don't control. - The bundled script performs arbitrary SQL and can call a custom exec_sql RPC — this enables full read/write/execution against your DB. Review the script and avoid running it with dangerous SQL until you understand it. - The script uses the OpenAI embeddings API for vector search (sends queries/possibly content to api.openai.com). The script requires OPENAI_API_KEY at runtime, but the skill metadata does not declare this — expect to need to set that env var if you use vector-search. Consider whether you want query text or DB content sent to OpenAI. - The script depends on curl and jq (not declared). Ensure those binaries are available and review the script locally before running. Recommendations: 1) Review the full scripts/supabase.sh file locally line-by-line and run it in a sandboxed environment first. 2) Create and use minimal-privilege keys (read-only or scoped service role) where possible. 3) If using vector search, decide whether sending data to OpenAI is acceptable for your data classification; consider hosting your own embedding/model if needed. 4) Ask the publisher to update the skill metadata to declare OPENAI_API_KEY and required binaries, and to mark SUPABASE_SERVICE_KEY as the primary credential so the privilege is explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bvsrgqbvxsszr1947st7yb97z4ny1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSUPABASE_URL, SUPABASE_SERVICE_KEY

Comments