alicloud-database-rds-supabase
v1.0.0Manage Alibaba Cloud RDS Supabase (RDS AI Service 2025-05-07) via OpenAPI. Use for creating, starting/stopping/restarting instances, resetting passwords, querying endpoints/auth/storage, configuring auth/RAG/SSL/IP whitelist, and listing instance details or conversations.
⭐ 0· 997·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (manage Alibaba Cloud RDS Supabase) legitimately requires Alibaba Cloud AccessKey/Secret and a Region, and the SKILL.md explicitly instructs the agent to read ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID and ~/.alibabacloud/credentials. However, the registry metadata lists no required environment variables or primary credential. That mismatch between declared requirements and the runtime instructions is an incoherence.
Instruction Scope
The SKILL.md stays within the high-level scope of an RDS-management tool (create/start/stop/reset/configure/etc.) and documents API names and workflows. It explicitly instructs the agent to: prefer reading AK/SK from env vars, fall back to ~/.alibabacloud/credentials, optionally perform full-region queries (ListRegions + per-region DescribeAppInstances), and write outputs to output/database-rds-supabase/. These actions are plausible for cloud administration but have privacy/footprint implications (reading credentials file, enumerating all regions/instances). The instructions also assume the availability of an SDK or OpenAPI Explorer but do not declare that dependency.
Install Mechanism
There is no install spec (instruction-only), which reduces installation risk. However, SKILL.md recommends using the official SDK or OpenAPI Explorer (RPC signing) — the skill does not declare or ensure those tools are present. That omission could lead an agent to attempt calls without proper libraries or to prompt for ad-hoc methods; still, there is no direct install-based risk (no third-party downloads).
Credentials
The runtime instructions require Alibaba Cloud credentials and may involve providing or modifying storage configuration that can include third-party credentials (e.g., S3 keys in ModifyInstanceStorageConfig). The registry metadata, however, lists no required env vars or primary credential. Requesting AccessKey/Secret and possible storage keys is proportionate to cloud management, but the absence of declared credentials and the skill's unknown source/homepage increase the risk of accidental credential exposure. The skill also instructs reading the user's credentials file (~/.alibabacloud/credentials), a sensitive path that should have been declared.
Persistence & Privilege
The skill is not always-enabled and does not request persistent installation or system-wide configuration changes. It is user-invocable and allows autonomous invocation (platform default). Autonomous invocation combined with credential access would enlarge blast radius, but there is no explicit persistent or privileged installation behavior in the package.
What to consider before installing
This skill appears to be a legitimate RDS Supabase management helper, but there are two red flags: the SKILL.md expects Alibaba Cloud credentials (env vars and ~/.alibabacloud/credentials) while the registry metadata declares no required credentials, and the skill's source/homepage is missing. Before installing or using it: (1) do not supply high-privilege long-lived AK/SK — use a least-privilege RAM role or temporary credentials; (2) confirm you trust the skill's author or ask for a homepage/source; (3) be prepared for operations that enumerate regions and instances and that may write outputs to output/database-rds-supabase/; (4) if you must try it, test with an isolated account or dummy credentials and verify the agent prompts before any full-region enumeration or destructive actions (delete/reset); (5) consider requiring the skill to declare required env vars and dependencies (SDK) in its metadata before enabling it for production use.Like a lobster shell, security has layers — review code before you run it.
latestvk97fkjsp8rw04f1cawz8j4zr8980z577
License
MIT-0
Free to use, modify, and redistribute. No attribution required.