ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Supabase ⚡

Query Supabase projects - count users, list signups, check stats. Use for database queries and user analytics.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
12 · 455 · 0 current installs · 0 all-time installs
by@joelchance
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Supabase user analytics) align with required env vars (SUPABASE_URL, SUPABASE_SERVICE_KEY), the CLI script, and the documented commands. Requesting a service_role JWT is coherent with the stated need to call the Auth Admin API.
Instruction Scope
SKILL.md and the script are focused on reading data from the user's Supabase project (auth admin endpoints, REST, optional RPC). They read/write only a config file at ~/.supabase_config.json and use only SUPABASE_URL/SUPABASE_SERVICE_KEY. Note: the README/script instruct the user to store the admin key locally (interactive save or env), which is functionally necessary but increases risk if the host is shared.
Install Mechanism
No install spec; instruction-only plus a single Python script. It relies on python3 and the requests package (validated in the script). Nothing is downloaded from external URLs or installed automatically.
Credentials
The skill requires the SUPABASE_SERVICE_KEY (primary credential). This is proportionate for Admin API tasks (listing/counting users) but is a highly privileged secret (service_role JWT). The README recommends the JWT and even urges it; the skill also documents a less-privileged alternative (read-only SQL role). Requiring this credential is justified by the feature set but should be considered sensitive.
Persistence & Privilege
The skill does persist credentials to ~/.supabase_config.json (with chmod 600). always is false and disable-model-invocation is true (agent cannot autonomously invoke the skill), which reduces autonomous blast radius. It does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: query your Supabase project for user analytics and project info. However, it asks for and encourages use of your Supabase service_role JWT (eyJ...) which grants full admin access to your database. Before installing: 1) Only provide this key on a trusted, private machine — avoid shared or CI environments. 2) Prefer using environment variables (not committed config files) or create a least-privilege read-only Postgres role / use the SQL API instead of the service_role key. 3) If you do save credentials to ~/.supabase_config.json, understand the file is persistent on disk (the script sets 600 permissions). 4) The package source has no homepage and an unknown owner — if you don't trust the publisher, review the included script (scripts/supabase.py) yourself (it is small and network calls are only to your Supabase URL). 5) Rotate the key if it may have been exposed. Overall the skill is internally consistent but you must treat the requested service_role key as highly sensitive.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk972t5g8jm3yam32r7vh1as39581hbbs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binspython3
EnvSUPABASE_URL, SUPABASE_SERVICE_KEY
Primary envSUPABASE_SERVICE_KEY

SKILL.md

Supabase ⚡

Query your Supabase projects directly from chat.

Setup

1. Get your credentials

Go to Supabase Dashboard → Project Settings → API

You'll see two tabs:

  • "Publishable and secret API keys" - New format (limited functionality)
  • "Legacy anon, service_role API keys" - JWT format (full functionality)

⚠️ Use the Legacy JWT key for full access!

The service_role JWT key (starts with eyJ...) gives full admin access including:

  • Listing users with details
  • Counting signups
  • Accessing auth.users

The new sb_secret_... keys have limited functionality and can't access the Admin API.

2. Find your keys

  1. Go to: Project Settings → API
  2. Click the "Legacy anon, service_role API keys" tab
  3. Find service_role (marked with red "secret" badge)
  4. Click Reveal and copy the eyJ... token

Direct link: https://supabase.com/dashboard/project/YOUR_PROJECT_REF/settings/api

3. Configure

Option A: Interactive setup

python3 {baseDir}/scripts/supabase.py auth

Option B: Manual config Create ~/.supabase_config.json:

{
  "url": "https://xxxxx.supabase.co",
  "service_key": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Option C: Environment variables

export SUPABASE_URL="https://xxxxx.supabase.co"
export SUPABASE_SERVICE_KEY="eyJhbG..."

Commands

User Analytics

# Count total users
python3 {baseDir}/scripts/supabase.py users

# Count new users (24h)
python3 {baseDir}/scripts/supabase.py users-today

# Count new users (7 days)  
python3 {baseDir}/scripts/supabase.py users-week

# List users with details (name, email, provider, signup date)
python3 {baseDir}/scripts/supabase.py list-users

# List new users from last 24h
python3 {baseDir}/scripts/supabase.py list-users-today

# Limit results
python3 {baseDir}/scripts/supabase.py list-users --limit 5

Project Info

# Show project info and key type
python3 {baseDir}/scripts/supabase.py info

# List tables exposed via REST API
python3 {baseDir}/scripts/supabase.py tables

JSON Output

python3 {baseDir}/scripts/supabase.py list-users --json

Key Types Explained

Key TypeFormatUser ListingUser CountREST Tables
JWT service_roleeyJ...✅ Yes✅ Yes✅ Yes
New secretsb_secret_...❌ No❌ No✅ Yes

Recommendation: Always use the JWT service_role key for Clawdbot integration.

Daily Reports

Set up automated daily user reports via Clawdbot cron.

Example: Daily 5 PM Report

Ask Clawdbot:

Send me a report of how many new users signed up at 5 PM every day, 
show the last 5 signups with their names

This creates a cron job like:

{
  "name": "Daily Supabase User Report",
  "schedule": {
    "kind": "cron",
    "expr": "0 17 * * *",
    "tz": "America/Los_Angeles"
  },
  "payload": {
    "message": "Supabase daily report: Count new user signups in the last 24 hours, and list the 5 most recent signups with their name and email."
  }
}

Sample Report Output

📊 Supabase Daily Report

New signups (last 24h): 2

Last 5 signups:
• Jane Smith <jane@example.com> (google) - 2026-01-25
• Alex Johnson <alex.j@company.com> (google) - 2026-01-25
• Sam Wilson <sam@startup.io> (email) - 2026-01-24
• Chris Lee <chris.lee@email.com> (google) - 2026-01-23
• Jordan Taylor <jordan@acme.co> (github) - 2026-01-22

GraphQL API (pg_graphql)

⚠️ pg_graphql is disabled by default on new Supabase projects (as of late 2025).

If you need the GraphQL API:

Enable pg_graphql

-- Run in SQL Editor
create extension if not exists pg_graphql;

Endpoint

https://<PROJECT_REF>.supabase.co/graphql/v1

Example Query

curl -X POST https://<PROJECT_REF>.supabase.co/graphql/v1 \
  -H 'apiKey: <API_KEY>' \
  -H 'Content-Type: application/json' \
  --data-raw '{"query": "{ accountCollection(first: 1) { edges { node { id } } } }"}'

Note: GraphQL automatically reflects your database schema. Tables/views in public schema become queryable. See Supabase GraphQL docs for configuration.

Troubleshooting

"list-users requires a JWT service_role key"

You're using an sb_secret_... key. Get the JWT key from: Project Settings → API → Legacy tab → service_role → Reveal

"No API key found in request"

The new sb_secret_ keys don't work with all endpoints. Switch to the JWT key.

Keys not showing

Make sure you're on the "Legacy anon, service_role API keys" tab, not the new API keys tab.

Security & Permissions

The service_role key has full admin access to your database. This skill requires it for the Auth Admin API (listing/counting users).

What this skill does:

  • Makes GET requests to your Supabase project's Auth Admin API
  • Reads user metadata (email, name, provider, signup date)
  • All requests stay between your machine and your Supabase instance

What this skill does NOT do:

  • Does not write, modify, or delete any data
  • Does not send credentials to any third party
  • Does not access any endpoints outside your Supabase project
  • Cannot be invoked autonomously by the agent (disable-model-invocation: true)

Least-privilege alternative: Create a read-only Postgres role scoped to auth.users and use the Supabase SQL API instead of the Admin API.

Key safety:

  • Never commit keys to git
  • Don't expose in client-side code
  • Only use on trusted machines
  • Config file is automatically set to mode 600 (owner read/write only)
  • Review scripts/supabase.py before first use

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…