Supabase Vault

Replace OpenClaw's local file vault with Supabase Vault for AES-256 encrypted-at-rest secret storage. All API keys and auth tokens stored encrypted in Postgr...

What to check before installing: - Metadata mismatch: the registry lists no required credentials, but the skill requires your Supabase Project URL and the service_role key. Treat that as a red flag: ask the publisher why metadata omits this, or treat the omission as an indicator you should proceed cautiously. - Use a dedicated Supabase project: the skill requires the service_role key which bypasses RLS. Create a new Supabase project used only for OpenClaw secrets so the key cannot access other data. - Audit the code & SQL: review assets/setup.sql, migrate.js, fetch-secrets.js, and rpc-handler.ts to confirm they do exactly what you expect (they do in this bundle, but confirm no hidden endpoints or extra network calls). Pay attention to the migration script which will read ~/.openclaw/secrets.json and upload values to your Supabase project. - Backup local secrets & config: before running migration or letting the skill modify ~/.openclaw/openclaw.json, make backups of secrets.json and openclaw.json so you can revert if needed. - Credential storage & file permissions: the keychain fallback writes ~/.openclaw/supabase-vault-config.enc (mode 0600). Verify that file ownership/permissions are appropriate and that scripts in ~/.openclaw/skills/supabase-vault are owned by your user (the exec provider relies on trustedDirs and ownership checks). - NPM dependency risk: the instructions install @supabase/supabase-js into ~/.openclaw/skills/supabase-vault. Ensure you control the environment or pin a vetted version if you need a higher assurance. - Prompt-injection artifact: the SKILL.md contained unicode control characters according to the scanner — inspect the raw file for hidden characters or unexpected content. - Test in a sandbox: first deploy and test this integration in a non-production environment to validate behavior (connectivity, migration dry-run, provider registration, restart behavior) before using it on production secrets. If you are not comfortable auditing the code and managing a dedicated Supabase project with a service_role key, consider not installing or ask the skill author/publisher for verification and corrected registry metadata.

Type: OpenClaw Skill Name: supabase-vault Version: 1.0.0 The skill bundle provides a legitimate integration for using Supabase Vault as an encrypted secret storage backend for OpenClaw. It implements a robust security model using platform-native keychains (macOS Security/Linux Secret Service) or a machine-bound AES-256-GCM fallback (via scripts/crypto-local.js) to protect bootstrap credentials. The migration logic in scripts/migrate.js and the secret retrieval in scripts/fetch-secrets.js are transparent, well-documented, and strictly follow the user-provided Supabase configuration without evidence of data exfiltration or malicious intent.