ClawHub

Elite Multi-Agent Comms Mesh

v1.0.3

Agent-to-agent communication via Supabase. Multiple OpenClaw agents on separate instances poll a shared Supabase table to send and receive messages asynchron...

0· 113·0 current·0 all-time
byJoel Yi - DeployAIBots.com@joelsalespossible
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Supabase mesh) match the requested binaries (curl, node) and the three env vars (project URL, anon key, agent ID). All required items are necessary for sending/reading messages via the Supabase REST API and for Node-based JSON/time helpers used in the scripts.
Instruction Scope
SKILL.md and the scripts only perform the described operations: GETs to poll/status, POSTs to insert messages, roster discovery and fan-out for broadcasts. Scripts explicitly check required env vars and claim no workspace writes or background listeners. There are no instructions to read unrelated files, system secrets, or to call external endpoints outside the user's Supabase project URL.
Install Mechanism
No install spec — instruction-only with bundled scripts. Nothing is downloaded from external URLs or extracted; scripts are run in-place. This is the low-risk approach and consistent with the skill's stated usage.
Credentials
Only three env vars are required and they are directly relevant. However, the design depends on a shared anon (public) Supabase key: while the skill uses anon (not service_role) and documents RLS policies, anyone with the URL+anon key can SELECT/INSERT on the table. This is an intended tradeoff but is a sensitive credential to share — users must use a dedicated project and treat the anon key as a secret for the mesh.
Persistence & Privilege
Skill is not always-enabled, does not request system-wide changes, does not modify other skills, and does not create persistent processes. It relies on manual/cron invocation which matches the described security model.
Assessment
This skill appears to do what it says, but before installing: 1) Use a dedicated Supabase project (do not reuse projects with sensitive data). 2) Understand that the anon key + project URL grants read/insert access to the messages table — if the key leaks, anyone can read or post mesh messages. 3) Do NOT provide the service_role key to agents; keep it only for dashboard/maintenance. 4) Consider additional RLS or message-level encryption if message content is sensitive. 5) Avoid aggressive automatic broadcasts or short poll intervals without rate-limiting to prevent reply storms and token costs. 6) Rotate keys if an agent or instance is decommissioned, and monitor the Supabase project for unexpected activity. If you want stronger per-agent isolation, consider implementing per-agent JWTs or more restrictive RLS policies instead of a shared anon key.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b1fsmkzatxjdarfebdb08pn83jssw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📡 Clawdis
Binscurl, node
EnvMESH_SUPABASE_URL, MESH_SUPABASE_KEY, MESH_AGENT_ID
Primary envMESH_SUPABASE_URL

Comments