ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Supabase Tool

v1.1.0

Generate Supabase API curl commands and SQL query helpers. Use when querying tables, counting rows, inserting records, checking database health, auditing RLS...

0· 27·1 current·1 all-time
by@loutai0307-prog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md, help text, and scripts all implement a Supabase curl/SQL helper as described. Minor inconsistency: the registry metadata lists no required binaries, but SKILL.md and the script clearly require bash, curl, and python3 to format output.
Instruction Scope
Runtime instructions and the included script only generate curl commands and simple JSON formatting; they do not read local files, access environment variables, or send data to unexpected endpoints. All network endpoints referenced are Supabase domains or api.supabase.com as expected.
Install Mechanism
No install spec (instruction-only) and a single helper script is included. No downloads or archive extraction occur on install — low installation risk.
Credentials
The skill does not request or read any environment variables or credentials. It uses placeholder values (YOUR_PROJECT_REF, YOUR_ACCESS_TOKEN, YOUR_ANON_KEY) which the user must replace before running commands — this is appropriate for its purpose.
Persistence & Privilege
always is false and the skill does not modify agent/system configuration or claim persistent privileges. It only prints commands for the user to run manually.
Assessment
This skill appears coherent and low-risk: it only generates example curl commands and does not store or read secrets. Before using: (1) note the script requires bash, curl, and python3 even though the registry metadata omitted those; (2) carefully replace placeholders (YOUR_ACCESS_TOKEN, YOUR_ANON_KEY, YOUR_PROJECT_REF) locally — do not paste secrets into public chat; (3) inspect any generated curl command before running it to ensure you aren't sending sensitive data to an unexpected place. If you want extra assurance, run the printed curl commands from a local terminal rather than allowing any automated executor to run them for you.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dehw18krxdt2nxtbt46h9558500mp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments