Flexible Data Importer
WarnAudited by ClawScan on May 10, 2026.
Overview
This data-import skill has a coherent purpose, but it asks for high-privilege Supabase access and points to unreviewed npm-executed code while providing little scoping or rollback guidance.
Review this skill carefully before installing. If you use it, test on a non-production Supabase project, inspect the exact npm package code, avoid broad service-role keys where possible, back up your database, and confirm generated schemas/imports before applying them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used against the wrong project or by untrusted code, the importer could create or modify database structures and data with broad authority.
A Supabase service-role key is a high-privilege credential, and the registry metadata declares no primary credential or env vars. The artifacts do not define least-privilege scope, target database limits, or safe handling for this key.
`supabaseKey`: String - Service role key for schema creation.
Use only a test Supabase project or a tightly scoped key if possible, avoid production service-role keys, review generated schema before applying it, and rotate any key shared with the skill.
A mistaken schema inference or import could permanently alter a Supabase database or overwrite existing records.
The skill is designed to generate schemas and perform database UPSERTs, but the artifacts do not state that the user must approve generated SQL/schema changes, restrict affected tables, or provide rollback controls.
- **Auto-Schema Generation**: Reads a sample of your file and proposes a SQL schema. ... - **Supabase Integration**: Direct UPSERT support via PostgREST.
Run imports on a staging database first, require explicit confirmation for schema and UPSERT operations, back up data before use, and document table/schema boundaries.
Installing or running the npm package may execute code that was not included in this review, potentially with access to local files and database/API keys.
The reviewed files do not include the referenced dist/cli.js executable, while the README instructs npm/npx use and the package identity differs from the unscoped README install name. This leaves the actual code that would receive credentials and modify data outside the reviewed artifacts.
"name": "@sschepis/flexible-data-importer", ... "bin": { "data-importer": "dist/cli.js" }Verify the exact npm package name and source repository, inspect the published package contents before running npx, and avoid providing service-role credentials to unreviewed code.
Samples of imported files may be exposed to an external AI provider during schema inference.
The architecture uses an external LLM adapter while processing a selected local data file. That is purpose-aligned for schema inference, but the artifacts do not clearly state what file samples are sent to the LLM provider or retained.
new OpenAILLMAdapter(process.env.OPENAI_API_KEY) ... await importer.execute('./large-dataset.xlsx');Do not use sensitive or regulated files unless you understand the provider data flow; redact samples where possible and document what data is sent to the LLM.