ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Supabase Manager

v1.0.2

Manage Supabase projects from the command line. Query tables, insert/update/delete rows, manage RLS policies, handle auth users, and work with storage. Use w...

0· 96·1 current·1 all-time
byHa Le@vanthienha199
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a Supabase manager that only needs SUPABASE_URL and SUPABASE_ANON_KEY (anon key) which is appropriate for the stated functionality. However, the registry metadata claims no required env vars while the SKILL.md requires two — this mismatch between declared requirements and the runtime instructions is a red flag (could be packaging omission or mis-declaration).
Instruction Scope
Instructions are scoped to Supabase REST and RPC calls via curl/jq and include sensible safeguards (confirm before DELETE/UPDATE, use anon key, RLS-aware). However the SKILL.md contains contradictory statements: it both says 'This skill does NOT store credentials to disk' and later says 'Store config locally — never send keys to external services.' That conflict expands the agent's discretion about persisting secrets and should be resolved.
Install Mechanism
No install spec and no code files — the skill is instruction-only and runs curl commands at runtime. That is the lowest installation risk surface (nothing is written or downloaded by an installer).
Credentials
Only the anon/public key and project URL are requested in SKILL.md, which is proportionate for a client-side Supabase helper. The manifest/registry not declaring required env vars is inconsistent with the SKILL.md and should be corrected. The skill explicitly forbids requesting the service_role key — follow that guidance and never provide a service role key to this skill.
!
Persistence & Privilege
The skill's instructions are ambiguous about persistence: one section says credentials are not stored, another tells to 'Store config locally'. This ambiguity creates uncertainty about whether secrets or config might be written to disk. The skill does not request always:true and has no install-time persistence declared, but the conflicting guidance warrants clarification before granting environment variables.
What to consider before installing
This skill appears to do what it says (uses the Supabase REST API via anon key), but there are two things to confirm before using it: (1) fix the mismatch between the registry metadata and SKILL.md — the skill should declare SUPABASE_URL and SUPABASE_ANON_KEY in the registry if they are required; (2) clarify credential persistence — resolve the contradiction about storing credentials to disk vs not storing them. Do NOT provide a Supabase service_role key to this skill; if you are uncomfortable handing the anon key directly, consider creating a temporary/anonymized test project with strict RLS policies for evaluation. If the author cannot clarify these points, treat the skill as untrusted and avoid supplying real keys or sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eryafje0vyxrqyraq64ns4d83qx6f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
SUPABASE_URLrequiredSupabase project URL (e.g., https://xxxxx.supabase.co)
SUPABASE_ANON_KEYrequiredSupabase anon (public) key — safe for client-side use, protected by RLS

Comments