首页龙虾技能列表 › Supabase Manager — 技能工具

Supabase Manager — 技能工具

v1.0.2

Manage Supabase projects from the command line. Query tables, insert/update/delete rows, manage RLS policies, handle auth users, and work with storage. Use w...

0· 85·1 当前·1 累计
by @vanthienha199 (Ha Le)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/28
安全扫描
VirusTotal
无害
查看报告
OpenClaw
可疑
medium confidence
The skill's behavior mostly matches a Supabase CLI-style helper, but there are internal inconsistencies about required environment variables and credential storage that should be clarified before use.
评估建议
This skill appears to do what it says (uses the Supabase REST API via anon key), but there are two things to confirm before using it: (1) fix the mismatch between the registry metadata and SKILL.md — the skill should declare SUPABASE_URL and SUPABASE_ANON_KEY in the registry if they are required; (2) clarify credential persistence — resolve the contradiction about storing credentials to disk vs not storing them. Do NOT provide a Supabase service_role key to this skill; if you are uncomfortable h...
详细分析 ▾
用途与能力
The SKILL.md describes a Supabase manager that only needs SUPABASE_URL and SUPABASE_ANON_KEY (anon key) which is appropriate for the stated functionality. However, the registry metadata claims no required env vars while the SKILL.md requires two — this mismatch between declared requirements and the runtime instructions is a red flag (could be packaging omission or mis-declaration).
指令范围
Instructions are scoped to Supabase REST and RPC calls via curl/jq and include sensible safeguards (confirm before DELETE/UPDATE, use anon key, RLS-aware). However the SKILL.md contains contradictory statements: it both says 'This skill does NOT store credentials to disk' and later says 'Store config locally — never send keys to external services.' That conflict expands the agent's discretion about persisting secrets and should be resolved.
安装机制
No install spec and no code files — the skill is instruction-only and runs curl commands at runtime. That is the lowest installation risk surface (nothing is written or downloaded by an installer).
凭证需求
Only the anon/public key and project URL are requested in SKILL.md, which is proportionate for a client-side Supabase helper. The manifest/registry not declaring required env vars is inconsistent with the SKILL.md and should be corrected. The skill explicitly forbids requesting the service_role key — follow that guidance and never provide a service role key to this skill.
持久化与权限
The skill's instructions are ambiguous about persistence: one section says credentials are not stored, another tells to 'Store config locally'. This ambiguity creates uncertainty about whether secrets or config might be written to disk. The skill does not request always:true and has no install-time persistence declared, but the conflicting guidance warrants clarification before granting environment variables.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.22026/3/28

- Added an explicit env section to SKILL.md to document required environment variables (SUPABASE_URL, SUPABASE_ANON_KEY) and their descriptions. - No changes to functionality; documentation only.

● 无害

安装命令 点击复制

官方npx clawhub@latest install supabase-manager
镜像加速npx clawhub@latest install supabase-manager --registry https://cn.clawhub-mirror.com

技能文档

You manage Supabase projects using the REST API and SQL. Fast, direct, no ORM overhead.

Connection Setup

On first use, ask the user for:

  • Supabase URLhttps://[project-ref].supabase.co
  • Anon key (public) — for RLS-protected queries

This skill uses ONLY the anon (public) key by default. The anon key is designed to be safe for client-side use — it is protected by Row Level Security (RLS) policies you configure in Supabase.

Credential Handling

  • Credentials are provided by the user at runtime via environment variables: SUPABASE_URL and SUPABASE_ANON_KEY
  • This skill does NOT store credentials to disk
  • This skill does NOT request or use the service role key
  • All queries go through Supabase's RLS layer — the skill cannot bypass your security policies

API Calls

Use curl for all Supabase REST API operations:

Query (SELECT)

curl -s "[URL]/rest/v1/[table]?select=&[filters]" \
  -H "apikey: [KEY]" \
  -H "Authorization: Bearer [KEY]"

Insert

curl -s -X POST "[URL]/rest/v1/[table]" \
  -H "apikey: [KEY]" \
  -H "Authorization: Bearer [KEY]" \
  -H "Content-Type: application/json" \
  -d '[JSON]'

Update

curl -s -X PATCH "[URL]/rest/v1/[table]?[filter]" \
  -H "apikey: [KEY]" \
  -H "Authorization: Bearer [KEY]" \
  -H "Content-Type: application/json" \
  -H "Prefer: return=representation" \
  -d '[JSON]'

Delete

curl -s -X DELETE "[URL]/rest/v1/[table]?[filter]" \
  -H "apikey: [KEY]" \
  -H "Authorization: Bearer [KEY]"

PostgREST Filter Syntax

  • ?column=eq.value — equals
  • ?column=neq.value — not equals
  • ?column=gt.value — greater than
  • ?column=lt.value — less than
  • ?column=gte.value — greater than or equal
  • ?column=like.pattern — LIKE
  • ?column=ilike.pattern — case-insensitive LIKE
  • ?column=in.(val1,val2) — IN
  • ?column=is.null — IS NULL
  • ?order=column.desc — ORDER BY
  • ?limit=10 — LIMIT
  • ?offset=20 — OFFSET
  • ?select=col1,col2,related_table(col3) — select specific columns + joins

Commands

"Show tables" / "List tables"

curl -s "[URL]/rest/v1/" -H "apikey: [KEY]" | jq 'keys'

"Query [table]" / "Show me [table]"

curl -s "[URL]/rest/v1/[table]?select=&limit=20" \
  -H "apikey: [KEY]" -H "Authorization: Bearer [KEY]" | jq .
Present as a formatted markdown table.

"Count [table]"

curl -s "[URL]/rest/v1/[table]?select=count" \
  -H "apikey: [KEY]" -H "Authorization: Bearer [KEY]" \
  -H "Prefer: count=exact"

"Insert into [table]: [data]"

Parse the user's data, construct JSON, POST it.

"Delete from [table] where [condition]"

Construct the filter, confirm with user before executing: "This will delete rows from [table] where [condition]. Proceed? (y/n)"

"Run SQL: [query]"

For complex queries, use Supabase RPC (remote procedure call) with the anon key: 
curl -s -X POST "[URL]/rest/v1/rpc/[function_name]" \
  -H "apikey: [ANON_KEY]" \
  -H "Authorization: Bearer [ANON_KEY]" \
  -H "Content-Type: application/json" \
  -d '{"param": "value"}'
Note: RPC functions must be created in Supabase first and must have appropriate RLS policies.

Rules

  • ALWAYS confirm before DELETE or UPDATE operations
  • Only use the anon key — never request the service role key
  • Credentials come from environment variables, not stored in files
  • Present query results as formatted markdown tables, not raw JSON
  • If a query returns >50 rows, show first 20 and say "Showing 20 of [N] rows. Add a filter to narrow down."
  • Store config locally — never send keys to external services
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务