ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flexible Data Importer

AI-powered ingestion of CSV, JSON, and XLSX files with auto schema generation and seamless Supabase database integration.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.3k · 1 current installs · 1 all-time installs
by@sschepis
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md and README describe a data-importer that uses an LLM and writes schemas to Supabase (auto-schema, upserts). That capability legitimately requires network, filesystem access, and a Supabase key. However, the registry header lists no required env vars or primary credential while the README/SKILL.md explicitly reference SUPABASE_URL, SUPABASE_KEY (service_role) and OPENAI_API_KEY. Also package.json indicates this is an npm package with a CLI (data-importer) but the bundle contains no source or dist files — inconsistent with the declared purpose.
!
Instruction Scope
Runtime instructions ask the agent to read an arbitrary file path (filePath) from the filesystem and upload and create schemas in a Supabase project. This scope is coherent with the importer purpose, but SKILL.md/README access environment variables and service keys that are not declared in the registry metadata. Reading arbitrary local paths plus networked upload is a sensitive combination: ensure the agent will only be given explicit file paths the user intends to import.
Install Mechanism
No install spec (instruction-only), which is lower risk. However, package.json and a large package-lock.json are present while no source or dist files are included in the bundle — this mismatch could indicate an incomplete package or omitted files. There's no download-from-URL or extract step in the manifest.
!
Credentials
The skill expects SUPABASE_URL and SUPABASE_KEY (explicitly a service role key in SKILL.md) and mentions OPENAI_API_KEY in README. A Supabase service_role key grants full database privileges (including schema changes and reading all data) and is high privilege; the registry metadata declares no required env vars or primary credential. Requesting such high-privilege credentials without declaring them is disproportionate and should be clarified. Prefer least-privilege credentials or require explicit user confirmation.
Persistence & Privilege
always is false and there is no indication the skill requests permanent agent presence or modifies other skills' config. Autonomous invocation is allowed (platform default) but does not increase concern by itself.
What to consider before installing
This skill appears to do what it claims (import files into Supabase using an LLM), but there are several inconsistencies and a real security implication: it expects a Supabase service_role key (full DB privileges) and possibly an OpenAI API key, yet the registry metadata does not declare those secrets. Before installing or using it: 1) Do not provide your production SUPABASE service_role key — create a least-privilege key or dedicated project for testing. 2) Ask the publisher for the full source (dist/cli.js, adapter implementations) to audit what data is read and where it is sent. 3) Prefer running the importer in a sandboxed environment with only the specific file(s) you intend to import. 4) Confirm how the skill handles sensitive fields (PII) and whether it transmits data to third parties beyond your Supabase project or the LLM provider. 5) If you cannot audit the code or limit credentials, treat this skill as untrusted and avoid giving high-privilege keys.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97d393716em5exqmax3s6jzgs80k3qv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Data Importer Skill

<!-- SKILL-META id: flexible-data-importer version: 1.0.0 author: OpenClaw description: AI-driven data ingestion for CSV, JSON, XLSX with auto-schema generation and Supabase integration. capabilities: - data-ingestion - schema-generation - supabase - etl requires: llm: true filesystem: true network: true invocation: cli: data-importer <file-path> api: UniversalImporter.execute(filePath) parameters: - name: filePath type: string required: true description: Path to the source file (CSV, JSON, XLSX). -->

An AI-driven skill that ingests disparate data formats (CSV, JSON, XLSX) and builds a structured Supabase database. It automatically infers relationships, types, and schema names.

Inputs

  • filePath: String - Path to the source file.
  • supabaseUrl: String - Your project URL.
  • supabaseKey: String - Service role key for schema creation.

Capabilities

  • Auto-Schema: No need to define tables beforehand.
  • Type Safety: Automatically converts strings to dates/numbers where appropriate.
  • Batched Uploads: Handles large historical datasets without crashing.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…