Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Volcengine Supabase
v1.0.0Manage Volcengine Supabase workspaces, branches, SQL queries, migrations, Edge Functions, Storage, and TypeScript type generation via a local CLI. Run uv run...
⭐ 0· 205·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the code: the bundle implements a CLI (scripts/call_volcengine_supabase.py) to list/manage workspaces, branches, DB, Edge Functions, and Storage on Volcengine Supabase. However, registry metadata claims no required environment variables while SKILL.md and the code clearly require VOLCENGINE_ACCESS_KEY / VOLCENGINE_SECRET_KEY (and optionally other SUPABASE_* env vars). That metadata mismatch is misleading.
Instruction Scope
SKILL.md instructs running the included Python CLI via 'uv run' or python. The runtime instructions and examples match the actual code paths. The CLI accepts file arguments (e.g. --query-file, --source-file) and will read those files locally, and it will send content (SQL, source files, import maps) to remote Volcengine endpoints — this is expected for the stated capability. Note: the code will also attempt to obtain credentials from a vefaas IAM helper if present, which expands how credentials can be acquired at runtime.
Install Mechanism
No install script is included (instruction-only install), but requirements.txt declares dependencies including a git+https pip install of 'git+https://github.com/sjcsjcsjc/volcengine-python-sdk.git@<commit>'. Installing directly from a third‑party GitHub repo (not an official release host) is a moderate risk and should be reviewed. No arbitrary binary downloads or extract steps were found.
Credentials
The code legitimately needs Volcengine credentials (VOLCENGINE_ACCESS_KEY, VOLCENGINE_SECRET_KEY) to call APIs and may use VOLCENGINE_SESSION_TOKEN or vefaas IAM to obtain temporary creds. The registry metadata omitted these required env vars and listed no primary credential — that mismatch is problematic. No unrelated credentials are requested, but the automatic vefaas IAM credential fetch behavior should be considered before running in shared/sensitive environments.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide agent settings. It runs as a CLI and uses included code; autonomous invocation (default) is allowed but not combined with other privileged flags.
What to consider before installing
This package appears to implement what it says (a Volcengine Supabase CLI), but the registry metadata omits the required Volcengine credentials and the requirements install a Python SDK directly from a third‑party GitHub repo. Before installing: (1) verify you trust the GitHub repo referenced in requirements.txt or pin/replace it with an official SDK; (2) do not provide production VOLCENGINE_ACCESS_KEY/SECRET_KEY to untrusted code—test in a safe/non-production account or use limited-permission credentials; (3) be aware the CLI can read any local file paths you pass (SQL, source code) and will transmit those contents to Volcengine endpoints; (4) note the code may try to obtain temporary credentials via a vefaas IAM helper if present—avoid running in environments where that could expose broader credentials. If the missing required-env metadata concerns you, ask the publisher to update the manifest to declare VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY (and any other env vars) explicitly and to justify the git dependency.Like a lobster shell, security has layers — review code before you run it.
latestvk979zagnt7z4h7zh3atwgrtb7582sstz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧩 Clawdis
OSmacOS · Linux
Binsuv