ClawHub

Volcengine Supabase

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Volcengine Supabase admin tool, but it gives an agent powerful database, deployment, branch, storage, and secret-access abilities with safety gaps users should review first.

Install only if you intend to let the agent administer real Volcengine Supabase resources. Use a non-production workspace or branch first, set READ_ONLY=true for exploration, avoid execute-sql unless you have reviewed the query, treat get-keys --reveal output as a secret, and review the pinned GitHub dependency before using production credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to invoke a local Python script that uses environment credentials, reads local files, and performs network actions against external infrastructure, but the skill does not declare permissions for those capabilities. This creates a trust and review gap: users or platforms may authorize the skill believing it is lower risk than it actually is, while the documented commands can affect cloud resources and potentially expose secrets if misused.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This client can retrieve and return raw Supabase API keys, including the highly privileged service_role key. In a local agent skill context, exposing those credentials is dangerous because they can be copied, logged, reused outside the intended workflow, and grant broad database or backend access beyond the skill's advertised workspace-management scope.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
`apply_migration` is decorated with `@read_only_check` but clearly builds and executes mutating SQL (`CREATE SCHEMA`, `CREATE TABLE`, arbitrary migration SQL, and an `INSERT`). If other parts of the system trust this decorator to gate safe/read-only operations, this mismatch can let destructive writes bypass policy controls and mislead users or higher-level agents into approving a dangerous action.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The tool exposes retrieval of API keys including the service-role key via `_get_api_keys_payload`, and `get_publishable_keys` can return unmasked secrets when `reveal=True`. Service-role keys are highly privileged credentials and are not necessary for ordinary workspace metadata management, so exposing them through a broadly accessible skill materially increases the risk of credential disclosure and downstream compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs users to deploy Edge Functions with JWT verification disabled for public APIs and webhooks, but it does not provide sufficient warning that this removes platform-level authentication entirely. In this context, readers may copy the example and unintentionally expose sensitive functionality to unauthenticated callers, especially because other examples in the same guide use service-role credentials inside functions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The playbook includes raw DELETE and UPDATE examples that can modify or remove production data without any adjacent warning, transactional safety guidance, or recommendation to verify targets first. In the context of an agent skill for managing Supabase via a local CLI, users may copy and execute these examples directly against real environments, increasing the chance of accidental destructive actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The RLS section provides policies that allow unrestricted public SELECT, INSERT, UPDATE, and DELETE using `true`, effectively disabling meaningful access control while presenting it as a quick setup pattern. In a Supabase-focused skill, this is especially dangerous because RLS is a primary security boundary; copying these examples into a real project could expose or permit tampering with all table data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow explicitly instructs operators to retrieve workspace keys but provides no warning that these are sensitive credentials or guidance on least-privilege handling. In a skill that manages Supabase workspaces and exposes real-time CLI-backed operations, normalizing credential retrieval increases the chance of unnecessary secret exposure, logging, copy/paste leakage, or misuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow recommends reset-branch or branch deletion as a recovery step without clearly warning that these actions may discard schema changes, data, or environment state. Because this skill performs real infrastructure/database operations through a local CLI, omission of destructive-action warnings can lead to accidental loss in non-test environments.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Edge Function publishing workflow describes deployment as a straightforward sequence but omits any warning about production impact, service disruption, or rollout validation. In an operational deployment skill, this can encourage direct changes to live functions without staging, review, or rollback planning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The bulk API key retrieval path returns sensitive credentials without any user-facing warning, confirmation, masking, or policy boundary. That creates a clear secret-exfiltration risk, especially because multiple keys may be exposed at once and consumed by downstream tools, logs, or prompts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The single-key retrieval function fetches sensitive credentials and stores them in a cache, increasing exposure duration and the chance of accidental leakage through memory inspection, debugging, or reuse by unrelated operations. Retrieving a service_role key is particularly sensitive because compromise can enable broad administrative actions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
`execute_sql` accepts arbitrary SQL and sends it directly to `/pg/query` with no visible restriction to read-only statements, no confirmation step, and no user-facing warning that the query may mutate or destroy data. In an agent skill, this is risky because prompt-influenced or accidental input can cause destructive database actions under the configured workspace credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`apply_migration` performs schema-changing writes and also interpolates arbitrary migration SQL into a transaction without any visible confirmation or disclosure to the caller. In this skill context, the tool is specifically designed to manage production-like Supabase workspaces, so hidden write capability materially increases the risk of unauthorized schema changes, data loss, or service disruption if invoked by an agent or unsuspecting user.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
--workspace-id ws-xxxx \
  --function-name public-api \
  --source-file ./functions/public-api/index.ts \
  --no-verify-jwt

# 查看已部署函数
uv run ./scripts/call_volcengine_supabase.py list-edge-functions --workspace-id ws-xxxx
Confidence
97% confidence
Finding
--no-verify

Tool Parameter Abuse

High
Category
Tool Misuse
Content
## 注意事项

- **JWT 验证**:默认启用。如果函数需要公开访问(如 Webhook),使用 `--no-verify-jwt`
- **函数命名**:只能使用小写字母、数字和连字符(如 `my-api`、`process-order`)
- **超时**:Edge Function 有执行时间限制,避免长时间阻塞操作
- **日志**:使用 `console.log()` 记录日志,可在平台控制台查看
Confidence
96% confidence
Finding
--no-verify

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal