← Back to Skills Marketplace
Supabase DB
by
Matt Van Horn
· GitHub ↗
· v1.2.1
421
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install supabase-db
Description
Connect to Supabase for SQL queries, CRUD, table management, and vector similarity search using pgvector extension and OpenAI embeddings.
Usage Guidance
This skill appears to implement the Supabase functionality it claims, but proceed cautiously: 1) It requires a Supabase service-role key (SUPABASE_SERVICE_KEY) that can read/modify all data and bypasses RLS — only provide a service key if you trust the skill and consider using a least-privilege/project-scoped key instead. 2) Vector search requires an OpenAI API key; the script will send your query text to OpenAI and use the returned embedding. 3) The package metadata does not list these env vars or required tools (curl, jq); check you trust the source and inspect scripts before installing. 4) If you install, run the skill in an isolated environment or with rotated/limited keys first, and avoid giving permanent high-privilege credentials to untrusted skills.
Capability Analysis
Type: OpenClaw Skill
Name: supabase-db
Version: 1.2.1
The skill provides high-risk database capabilities, including raw SQL execution via the `query` command and the use of the Supabase Service Role Key, which explicitly bypasses Row Level Security (RLS). While these features are aligned with the stated purpose of a database management tool, they represent significant security risks in an AI agent context. The implementation in `scripts/supabase.sh` and instructions in `SKILL.md` appear functional and lack clear evidence of intentional malice, though the future-dated metadata and migration notices (March 2026) in `_meta.json` and `SKILL.md` are unusual.
Capability Assessment
Purpose & Capability
The name/description match the provided script and README: the skill performs SQL, CRUD, table management, and pgvector/OpenAI-based vector search. However the registry metadata claims no required environment variables or binaries while SKILL.md and the shipped script explicitly require SUPABASE_URL, SUPABASE_SERVICE_KEY (and OPENAI_API_KEY for vector search) and rely on curl/jq. This metadata mismatch is a packaging/information inconsistency.
Instruction Scope
SKILL.md and the script confine actions to Supabase and OpenAI endpoints and to DB operations; they do not instruct reading arbitrary host files or harvesting unrelated environment variables. Vector-search flows call OpenAI to generate embeddings and call Supabase RPCs. The script will send the provided keys to those services (expected for the stated features).
Install Mechanism
There is no external install/download: this is an instruction-only skill with a bundled shell script. No remote archives or obscure URLs are fetched during install. Risk is limited to running the included script, which will be written to disk if the user installs the skill.
Credentials
The skill requires a Supabase service-role key (SUPABASE_SERVICE_KEY) which grants full database access and bypasses Row-Level Security — a high-privilege credential. That level of access is consistent with features like raw SQL and creating extensions but is sensitive and broad. The skill also uses OPENAI_API_KEY for embeddings. The registry metadata failing to declare these required env vars increases the chance users will unintentionally expose high-privilege credentials. Prefer least-privilege/project-scoped keys where possible.
Persistence & Privilege
The skill does not force permanent inclusion (always:false) but allows autonomous invocation (platform default). Autonomous invocation combined with a supplied service-role key raises the blast radius: if the agent invokes this skill on its own, it could perform high-privilege DB operations without further prompts. This is expected for DB admin-style skills but is worth conscious risk consideration.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install supabase-db - After installation, invoke the skill by name or use
/supabase-db - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.1
Fix display name (remove Clawdbot prefix)
v1.2.0
Rebrand: clawdbot → openclaw in metadata key and prose references.
v1.1.0
Republish after ClawHavoc moderation sweep. Updated descriptions, Grok-4/API 2026 notes, author/license/repository metadata.
Metadata
Frequently Asked Questions
What is Supabase DB?
Connect to Supabase for SQL queries, CRUD, table management, and vector similarity search using pgvector extension and OpenAI embeddings. It is an AI Agent Skill for Claude Code / OpenClaw, with 421 downloads so far.
How do I install Supabase DB?
Run "/install supabase-db" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Supabase DB free?
Yes, Supabase DB is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Supabase DB support?
Supabase DB is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Supabase DB?
It is built and maintained by Matt Van Horn (@mvanhorn); the current version is v1.2.1.
More Skills