← Back to Skills Marketplace
Supabase Vault
by
maverick-software
· GitHub ↗
· v1.0.0
318
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install supabase-vault
Description
Replace OpenClaw's local file vault with Supabase Vault for AES-256 encrypted-at-rest secret storage. All API keys and auth tokens stored encrypted in Postgr...
Usage Guidance
What to check before installing:
- Metadata mismatch: the registry lists no required credentials, but the skill requires your Supabase Project URL and the service_role key. Treat that as a red flag: ask the publisher why metadata omits this, or treat the omission as an indicator you should proceed cautiously.
- Use a dedicated Supabase project: the skill requires the service_role key which bypasses RLS. Create a new Supabase project used only for OpenClaw secrets so the key cannot access other data.
- Audit the code & SQL: review assets/setup.sql, migrate.js, fetch-secrets.js, and rpc-handler.ts to confirm they do exactly what you expect (they do in this bundle, but confirm no hidden endpoints or extra network calls). Pay attention to the migration script which will read ~/.openclaw/secrets.json and upload values to your Supabase project.
- Backup local secrets & config: before running migration or letting the skill modify ~/.openclaw/openclaw.json, make backups of secrets.json and openclaw.json so you can revert if needed.
- Credential storage & file permissions: the keychain fallback writes ~/.openclaw/supabase-vault-config.enc (mode 0600). Verify that file ownership/permissions are appropriate and that scripts in ~/.openclaw/skills/supabase-vault are owned by your user (the exec provider relies on trustedDirs and ownership checks).
- NPM dependency risk: the instructions install @supabase/supabase-js into ~/.openclaw/skills/supabase-vault. Ensure you control the environment or pin a vetted version if you need a higher assurance.
- Prompt-injection artifact: the SKILL.md contained unicode control characters according to the scanner — inspect the raw file for hidden characters or unexpected content.
- Test in a sandbox: first deploy and test this integration in a non-production environment to validate behavior (connectivity, migration dry-run, provider registration, restart behavior) before using it on production secrets.
If you are not comfortable auditing the code and managing a dedicated Supabase project with a service_role key, consider not installing or ask the skill author/publisher for verification and corrected registry metadata.
Capability Analysis
Type: OpenClaw Skill
Name: supabase-vault
Version: 1.0.0
The skill bundle provides a legitimate integration for using Supabase Vault as an encrypted secret storage backend for OpenClaw. It implements a robust security model using platform-native keychains (macOS Security/Linux Secret Service) or a machine-bound AES-256-GCM fallback (via scripts/crypto-local.js) to protect bootstrap credentials. The migration logic in scripts/migrate.js and the secret retrieval in scripts/fetch-secrets.js are transparent, well-documented, and strictly follow the user-provided Supabase configuration without evidence of data exfiltration or malicious intent.
Capability Assessment
Purpose & Capability
The skill's name/description (Supabase-backed vault) matches the included code and runtime instructions: it stores secrets in Supabase, provides dashboard UI, migration, and an exec bridge. However the registry metadata declares no required credentials or primary credential, while the SKILL.md and code clearly require the Supabase Project URL + service_role key — a high-privilege secret. That metadata omission is incoherent and reduces transparency for users.
Instruction Scope
SKILL.md and the scripts instruct the agent/admin to: run setup SQL in Supabase, copy TypeScript UI & RPC files into the OpenClaw codebase, run npm install in the skill directory, run migration (reads ~/.openclaw/secrets.json), and the connect handler will add an exec provider to ~/.openclaw/openclaw.json and suggest restarting the gateway. All of these actions are within the stated purpose (migrating/managing secrets), but they are impactful (mutating openclaw.json, migrating secrets from disk to a remote service, restarting gateway). The migration script reads local secrets.json and uploads values to Supabase — intended for this feature but high-impact, so require careful review and backups.
Install Mechanism
No remote arbitrary download/install spec is included; the SKILL.md instructs installing @supabase/supabase-js into a local skill directory via npm (npm install --prefix ~/.openclaw/skills/supabase-vault). That is a common and expected mechanism. There is no installer that fetches code from arbitrary URLs; code files are included in the skill bundle. Still, running npm will bring external NPM packages into your environment — standard but should be considered.
Credentials
The skill requests (in instructions and at runtime) your Supabase Project URL and the service_role key. The service_role key bypasses RLS and is highly privileged; asking for it is coherent with providing a vault but it is sensitive and should be limited to a dedicated Supabase project. The registry declares no required env vars/primary credential which is inconsistent with the actual credential needs. The key storage methods (OS keychain or AES-GCM file) are appropriate, but the overall privilege of the requested secret is high and should be justified and isolated.
Persistence & Privilege
The skill is not always:true and allows user invocation. It does modify OpenClaw configuration (writes to ~/.openclaw/openclaw.json to add an exec provider) and the SKILL.md recommends restarting the gateway. Modifying the agent config is necessary for the exec-based secret provider, but it is a privileged, persistent change — the user should expect and review it. The skill does not attempt to change other skills' configs beyond adding the provider entry.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install supabase-vault - After installation, invoke the skill by name or use
/supabase-vault - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — Supabase Vault as OpenClaw secrets backend. AES-256 encrypted-at-rest secrets in Postgres, OS keychain or machine-derived AES-256-GCM for bootstrap credentials, dashboard Integrations tab, one-click migration from local vault.
Metadata
Frequently Asked Questions
What is Supabase Vault?
Replace OpenClaw's local file vault with Supabase Vault for AES-256 encrypted-at-rest secret storage. All API keys and auth tokens stored encrypted in Postgr... It is an AI Agent Skill for Claude Code / OpenClaw, with 318 downloads so far.
How do I install Supabase Vault?
Run "/install supabase-vault" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Supabase Vault free?
Yes, Supabase Vault is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Supabase Vault support?
Supabase Vault is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Supabase Vault?
It is built and maintained by maverick-software (@maverick-software); the current version is v1.0.0.
More Skills