ClawHub

Instant DB

v1.0.0

Real-time database integration with InstantDB. Use this skill when working with InstantDB apps to perform admin operations (create/update/delete entities, link/unlink relationships, query data) and subscribe to real-time data changes. Triggers include mentions of InstantDB, real-time updates, database sync, entity operations, or when OpenClaw needs to send action updates visible to humans in real-time.

1· 1.5k·0 current·0 all-time
by@ubyjerome
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name/description match the included code and documentation: it integrates with InstantDB to perform queries, create/update/delete, link/unlink, transactions, and subscriptions. The required runtime dependencies (@instantdb/admin, ws) and the presented CLI/map to the described capabilities, so the feature set is coherent with the stated purpose.
Instruction Scope
SKILL.md and the CLI instruct only to run npm install, set INSTANTDB_APP_ID and INSTANTDB_ADMIN_TOKEN, and then use the provided commands. The instructions do not attempt to read unrelated files or exfiltrate data to unknown endpoints; runtime behavior is limited to operations against the InstantDB SDK and websocket subscriptions.
Install Mechanism
There is no formal install spec in the registry, but package.json and SKILL.md instruct running npm install which will fetch @instantdb/admin and ws from the public npm registry. This is expected for a Node SDK integration, but the lack of an explicit install spec in the registry metadata is an inconsistency to note.
!
Credentials
The skill requires INSTANTDB_APP_ID and INSTANTDB_ADMIN_TOKEN at runtime (documented in SKILL.md and enforced by the CLI), but the registry metadata incorrectly lists no required environment variables or primary credential. The admin token has broad privileges (transact, delete, link), so requesting an admin credential is proportionate to the functionality but must be explicitly declared and handled carefully — the metadata omission is a red flag.
Persistence & Privilege
The skill does not request always:true or other elevated persistence, does not modify other skills' config, and is user-invocable. It will run as a normal, on-demand/autonomous-invokable skill.
What to consider before installing
Before installing: 1) Be aware the code requires an admin-level INSTANTDB_ADMIN_TOKEN and an INSTANTDB_APP_ID — an admin token can perform destructive operations (delete/transact/link) so only provide a scoped credential or a non-production instance. 2) The registry metadata omits these required env vars — confirm with the publisher why they weren't declared and prefer skills that list needed secrets explicitly. 3) Audit the @instantdb/admin package version and its permissions, and consider running npm install and the skill in a sandboxed/test environment first. 4) If you cannot verify the skill author's trustworthiness or the package code, do not provide production admin credentials; consider creating a least-privilege test account for evaluation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abtf24e4jw8xwc9xebrqprh80qjbs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments