← 返回 Skills 市场

Supabase Ops

Name: Supabase Ops
Author: guifav

作者 Guilherme Favaron · GitHub ↗ · v0.1.2 · MIT-0

cross-platform ⚠ suspicious

1772

总下载

当前安装

版本数

在 OpenClaw 中安装

/install supabase-ops

功能描述

Manages Supabase migrations, types generation, RLS policies, and edge functions

安全使用建议

This skill appears to do what it says (manage Supabase migrations and edge functions) but ask yourself the following before installing or giving it credentials: - Do NOT provide your SUPABASE_SERVICE_ROLE_KEY to any automated skill unless you trust it and you understand the consequences. That key bypasses RLS and can read/modify all data. - Prefer running the skill with only development-scoped credentials or on a throwaway environment first. For production, require manual approval and review the 'planning' output before letting the skill run any `db push` with a production DB URL. - Verify the source repository and owner (claw.json references a GitHub URL but the published metadata's 'Homepage' is missing). Inspect the upstream code and commit history yourself if possible. - Be aware the skill will modify your repository (create migration files, regenerate types, run git commit). Ensure you have backups or CI checks and review commits before pushing. - The package metadata is inconsistent (registry metadata shows no required env vars while the included files require them). Treat that as a sign to be cautious and ask the publisher for clarification. If you decide to proceed: provide least-privilege credentials, run the skill in a dev branch or staging project, require dry-runs and explicit confirmations for production, and review all generated migrations and commits before applying them to production.

功能分析

Type: OpenClaw Skill Name: supabase-ops Version: 0.1.2 The supabase-ops skill is a legitimate tool for managing Supabase infrastructure, including migrations, RLS policies, and edge functions. It includes a robust 'Planning Protocol' and safety rules designed to prevent accidental data loss, and its use of sensitive environment variables (e.g., SUPABASE_SERVICE_ROLE_KEY) is strictly aligned with its stated purpose of database administration via the standard Supabase CLI (SKILL.md, claw.json).

能力评估

ℹ Purpose & Capability

Name/description (Supabase migrations, types, RLS, edge functions) matches the SKILL.md instructions: creating migration files, running `npx supabase` commands, generating types, scaffolding and deploying edge functions. However, the registry summary at the top of the report lists no required env vars or binaries while the embedded claw.json and SKILL.md both require `npx`, `git` and three env vars (NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY, SUPABASE_SERVICE_ROLE_KEY). That metadata mismatch is inconsistent and unexplained.

⚠ Instruction Scope

SKILL.md explicitly instructs the agent to read and modify repo files (supabase/migrations/, src/lib/supabase/types.ts), run commands that alter a database (`npx supabase db push`), regenerate types, and commit changes. Those actions are in-scope for a migration tool, but they give the skill permission to modify the user's repository and apply schema changes. The doc also claims credentials are accessed exclusively via the Supabase CLI and that it never reads .env files — that is an instruction, not an enforceable guarantee; the agent can still access environment or files if available. The plan/approval protocol is good, but the agent's ability to run destructive operations (with the provided keys) means the instruction scope is high-impact and needs careful user approval before production runs.

✓ Install Mechanism

This is an instruction-only skill (no install spec, no code files to execute). That minimizes install-time risk because nothing is being downloaded or written by an installer. Runtime commands (npx, git) are relied on to be present on the host.

⚠ Credentials

The skill requires three environment values: NEXT_PUBLIC_SUPABASE_URL (declared as primaryEnv), NEXT_PUBLIC_SUPABASE_ANON_KEY, and SUPABASE_SERVICE_ROLE_KEY. The service role key is highly privileged (can bypass RLS and perform admin operations) and grants full DB access; it is appropriate for admin/deploy tasks but must be treated as a secret and scoped carefully. Using both public anon keys and the service role key is plausible but increases risk if the service role key is provided to an automated agent. Additionally, setting the URL as primaryEnv is odd (URL is not a secret) while the most-sensitive credential is not set as primaryEnv — a minor inconsistency. Finally, the top-level registry metadata claims no required env vars whereas claw.json and SKILL.md do; that mismatch is a red flag for sloppy metadata or potential attempt to hide required secrets.

ℹ Persistence & Privilege

The skill is not 'always: true' and is user-invocable. claw.json includes permissions for filesystem and network which are expected for a migration helper but broaden the blast radius when combined with the service role key and autonomous invocation (the skill can be invoked by the agent). The skill will write migration files, regenerate types, and run git commits — legitimate but powerful. Because autonomous invocation is allowed by default, providing high-privilege credentials increases risk; there's no built-in forced gating beyond the planning protocol.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install supabase-ops
安装完成后，直接呼叫该 Skill 的名称或使用 /supabase-ops 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.2

- Initializes a changelog with the addition of a CHANGELOG.md file. - No changes to core functionality; only documentation files were updated.

v0.1.1

No user-visible changes in this release. - No file changes detected from the previous version. - Behavior and documentation remain the same as in version 0.1.0.

v0.1.0

Initial release of the supabase-ops skill — automates and safeguards Supabase migrations, types, RLS, and edge functions for Next.js projects. - Adds full protocol for planning, reviewing, and executing schema changes with built-in dry-run and risk warnings. - Enforces migrations for all schema changes; direct database edits are never allowed. - Requires all tables to use row-level security (RLS) by default, with templates for common policies. - Automates TypeScript type generation after every migration and guides updating affected code. - Provides workflows for safe operations in both development and production environments. - Includes step-by-step procedures for managing migrations, RLS policies, edge functions, indexes, and seed data.

元数据

Slug supabase-ops

版本 0.1.2

许可证 MIT-0

累计安装 4

当前安装数 4

历史版本数 3

常见问题

Supabase Ops 是什么？

Manages Supabase migrations, types generation, RLS policies, and edge functions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1772 次。

如何安装 Supabase Ops？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install supabase-ops」即可一键安装，无需额外配置。

Supabase Ops 是免费的吗？

是的，Supabase Ops 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Supabase Ops 支持哪些平台？

Supabase Ops 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Supabase Ops？

由 Guilherme Favaron（@guifav）开发并维护，当前版本 v0.1.2。