📦 database — 技能工具
v1.0.0Connect to Supabase for database operations, vector search, and storage. Use for storing data, running SQL queries, similarity search with pgvector, and mana...
0· 25·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's files implement a Supabase CLI and require high‑privilege Supabase credentials and an external embedding API, but the registry metadata omits those requirements and misses required binaries — the capability/requirements don't fully align.
评估建议
This skill implements a Supabase CLI and will need: SUPABASE_URL and a SUPABASE_SERVICE_KEY (service role key) plus SKILLBOSS_API_KEY for embeddings, and command-line tools like curl and jq. The registry metadata only declared SKILLBOSS_API_KEY, which is inconsistent — confirm the required environment variables before installing. Because the script uses a Supabase service role key (full access), only install if you trust the skill and are willing to grant full DB access; prefer creating a least-...详细分析 ▾
⚠ 用途与能力
The skill's stated purpose (Supabase DB operations, vector search) matches the script's behavior, but the registry's declared required env vars list only SKILLBOSS_API_KEY while the script actually requires SUPABASE_URL and SUPABASE_SERVICE_KEY (a Supabase service role key with full access). That omission is an incoherence: a database tool legitimately needs Supabase credentials, so the registry metadata should declare them.
⚠ 指令范围
SKILL.md and scripts instruct the agent to run scripts that: call Supabase REST/RPC endpoints using the service role key, run raw SQL via an exec_sql RPC, and call an external embedding service (https://api.heybossai.com/v1/pilot). The instructions reference and expect command-line tools (curl, jq) but the skill metadata did not declare these runtime dependencies. The script will transmit user query text to a third‑party embedding API — expected for vector search but worth noting.
✓ 安装机制
There is no installer or external download; the skill is instruction-plus-included-script (scripts/supabase.sh). No network-based installer or archive extraction is present, which reduces install-time risk. The script itself will be installed as a file in the skill bundle.
⚠ 凭证需求
The script requires SUPABASE_SERVICE_KEY (service role key — full DB access) and SUPABASE_URL in addition to SKILLBOSS_API_KEY. The registry only lists SKILLBOSS_API_KEY. Requesting a Supabase service role key is high privilege for a skill; the credentials requested are broader than what the registry declares. Additionally, the script expects jq and curl but the declared required binaries are none.
ℹ 持久化与权限
always is false (good). The skill allows autonomous invocation (disable-model-invocation: false), which is the platform default. Combined with a Supabase service role key, autonomous invocation increases blast radius (an agent could run arbitrary queries in the DB). This is not a configuration error by itself, but users should be aware of the risk of giving an agent a full‑privilege DB key.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/16
Initial release – CLI tool for Supabase database, vector search, and storage operations. - Supports SQL queries, CRUD (create, read, update, delete), upsert, and table management from the command line. - Provides vector similarity search using pgvector and embeddings via SkillBoss API Hub integration. - Includes scripts for table listing, schema description, and stored procedure (RPC) calls. - Offers simple environment variable setup for authentication and service configuration. - Features comprehensive command documentation and setup guidance for vector search.
● Pending
安装命令
点击复制官方npx clawhub@latest install godfery-database
镜像加速npx clawhub@latest install godfery-database --registry https://cn.longxiaskill.com