← Back to Skills Marketplace

Whirlwind

Name: Whirlwind
Author: rosebeatty

by Rose Beatty · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install whirlwind

Description

Production-ready Next.js AI SaaS template with Supabase auth, Stripe payments, email system, multi-model AI client, and customizable components for rapid AI...

Usage Guidance

This skill appears to be a legitimate template generator, but exercise caution before providing secrets. Do not paste high-privilege keys (especially SUPABASE_SERVICE_ROLE_KEY, Stripe secret keys, or any private AI provider keys) directly into chat. Prefer the following safer workflow: - Verify the skill's source (GitHub repo, package publisher) and review the templates locally before running any automated setup. The registry metadata lacks a verified homepage — confirm the repository URL is legitimate. - When setting up services, create and paste only low-privilege keys into client-side config (e.g., public anon keys or publishable Stripe keys). Never disclose service_role or secret API keys in a conversational interface. Use your hosting platform's secrets manager or environment configuration (Vercel, Supabase project settings, etc.). - Inspect the generated .env files and ensure server-only secrets are kept out of client builds. SUPABASE_SERVICE_ROLE_KEY must only be used server-side and not committed to version control or exposed to the browser. - If you want ClawdBot to help with setup, restrict it to providing commands and checklists rather than collecting secrets. If you must provide keys to the skill, do so via a secure channel (not chat) and consider creating limited-scope API keys for this purpose. - If you plan to run the setup automatically, review the code paths that persist secrets and run migrations locally or in an isolated environment first. Given the mismatch between the manifest and the instructions and the explicit instruction to collect secrets in chat, treat this skill as suspicious until you confirm its provenance and adjust how secrets are supplied.

Capability Analysis

Type: OpenClaw Skill Name: whirlwind Version: 1.0.0 The Whirlwind skill bundle functions as a comprehensive setup assistant for a SaaS template, but it is classified as suspicious due to its aggressive collection of high-privilege credentials. The 'SETUP_WORKFLOW.md' and 'SKILL.md' files instruct the agent to solicit extremely sensitive secrets from the user, including the Supabase Service Role key (which bypasses Row Level Security), Stripe Secret keys, and multiple AI API keys. While the instructions direct the agent to save these to a local '.env.local' file, the process involves handling these secrets within the agent's context, creating a high risk of accidental exposure or misuse. Furthermore, the skill relies on cloning an external repository (github.com/WhirlwindAI/whirlwind), which introduces a supply chain risk as the core logic resides outside the analyzed bundle.

Capability Tags

cryptocan-make-purchasesrequires-oauth-tokenrequires-sensitive-credentials

Capability Assessment

ℹ Purpose & Capability

The declared purpose (Next.js AI SaaS template with Supabase, Stripe, AI providers) matches the templates and examples provided. However, the skill.json and registry metadata list no required environment variables or primary credential, while SKILL.md and README repeatedly instruct the agent to collect and use many secrets (Supabase anon and SERVICE_ROLE key, Stripe secret/webhook secret, Anthropic/OpenAI keys, Mailchimp key, etc.). That mismatch (no declared required env vs. explicit instructions to collect many secrets) is an incoherence that reduces trust.

⚠ Instruction Scope

SKILL.md and SETUP_WORKFLOW.md explicitly instruct ClawdBot to prompt the user for API keys and secrets and to 'Create your .env with all your API keys' and to paste values into the conversation (e.g., 'Give me these: NEXT_PUBLIC_SUPABASE_URL=...'). Collecting highly privileged secrets (notably SUPABASE_SERVICE_ROLE_KEY and Stripe secret keys) via chat is unnecessary and dangerous. The rest of the instruction scope (creating components, API routes, SQL migrations, and using the AI client) is within the template's purpose, but the instructions grant the agent broad discretion to request and persist sensitive data in chat and files.

✓ Install Mechanism

This is an instruction-first skill with included templates and no install spec — lowest install risk. There are no downloads, remote install URLs, or archive extraction steps in the metadata. The included templates are consistent with the stated purpose.

⚠ Credentials

The set of environment variables requested in the docs (Supabase URL, anon key, SUPABASE_SERVICE_ROLE_KEY, STRIPE_SECRET_KEY, NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY, STRIPE_WEBHOOK_SECRET, ANTHROPIC_API_KEY, OPENAI_API_KEY, Mailchimp keys, etc.) are all relevant to running the template. However, the inclusion of SUPABASE_SERVICE_ROLE_KEY (a high-privilege service key) and the practice of asking the user to paste those keys into the chat are disproportionate and risky. Additionally, the manifest declares no required env variables or primary credential — inconsistent with the large number of secrets the workflow expects.

ℹ Persistence & Privilege

The skill does not request 'always: true' and does not claim additional platform privileges. It instructs the agent to write .env files and migrations to the project — normal for a template generator. Nevertheless, because the skill's runtime instructions encourage placing secrets into files and the chat, treat autonomous invocation with caution: if the agent can run this workflow automatically, it could collect and persist secrets without clear guardrails. On its own this is not a privilege escalation, but combined with the secret-collection behavior it raises risk.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install whirlwind
After installation, invoke the skill by name or use /whirlwind
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Whirlwind AI SaaS Template Skill version 2.0.0 is a major update with expanded documentation and clear customization steps. - Introduces a detailed SKILL.md with infrastructure overview and clear file structure annotations (core, customizable, and generatable files). - Guides users to create new AI-driven features, API endpoints, and database tables with step-by-step code templates. - Describes included tech: Supabase auth, Stripe payments, email systems, and support for multiple AI models (Claude, GPT-4, Gemini). - Standardizes usage of shared AI client utilities and secure database operations. - Centralizes product-specific configuration and content, streamlining custom AI SaaS product creation.

Metadata

Slug whirlwind

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Whirlwind?

Production-ready Next.js AI SaaS template with Supabase auth, Stripe payments, email system, multi-model AI client, and customizable components for rapid AI... It is an AI Agent Skill for Claude Code / OpenClaw, with 55 downloads so far.

How do I install Whirlwind?

Run "/install whirlwind" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Whirlwind free?

Yes, Whirlwind is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Whirlwind support?

Whirlwind is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Whirlwind?

It is built and maintained by Rose Beatty (@rosebeatty); the current version is v1.0.0.

More Skills