Query Supabase projects - count users, list signups, check stats. Use for database queries and user analytics.
Security Analysis
high confidenceThe skill's requests, instructions, and bundled script match its stated purpose (querying Supabase for user counts and listings) and there are no obvious attempts to exfiltrate data to third parties, but it legitimately requires a highly privileged service_role key which you should protect.
Name/description (Supabase user analytics) align with required env vars (SUPABASE_URL, SUPABASE_SERVICE_KEY), the CLI script, and the documented commands. Requesting a service_role JWT is coherent with the stated need to call the Auth Admin API.
SKILL.md and the script are focused on reading data from the user's Supabase project (auth admin endpoints, REST, optional RPC). They read/write only a config file at ~/.supabase_config.json and use only SUPABASE_URL/SUPABASE_SERVICE_KEY. Note: the README/script instruct the user to store the admin key locally (interactive save or env), which is functionally necessary but increases risk if the host is shared.
No install spec; instruction-only plus a single Python script. It relies on python3 and the requests package (validated in the script). Nothing is downloaded from external URLs or installed automatically.
The skill requires the SUPABASE_SERVICE_KEY (primary credential). This is proportionate for Admin API tasks (listing/counting users) but is a highly privileged secret (service_role JWT). The README recommends the JWT and even urges it; the skill also documents a less-privileged alternative (read-only SQL role). Requiring this credential is justified by the feature set but should be considered sensitive.
The skill does persist credentials to ~/.supabase_config.json (with chmod 600). always is false and disable-model-invocation is true (agent cannot autonomously invoke the skill), which reduces autonomous blast radius. It does not modify other skills or system-wide settings.
Guidance
This skill appears to do what it says: query your Supabase project for user analytics and project info. However, it asks for and encourages use of your Supabase service_role JWT (eyJ...) which grants full admin access to your database. Before installing: 1) Only provide this key on a trusted, private machine — avoid shared or CI environments. 2) Prefer using environment variables (not committed config files) or create a least-privilege read-only Postgres role / use the SQL API instead of the service_role key. 3) If you do save credentials to ~/.supabase_config.json, understand the file is persistent on disk (the script sets 600 permissions). 4) The package source has no homepage and an unknown owner — if you don't trust the publisher, review the included script (scripts/supabase.py) yourself (it is small and network calls are only to your Supabase URL). 5) Rotate the key if it may have been exposed. Overall the skill is internally consistent but you must treat the requested service_role key as highly sensitive.
Latest Release
v1.0.0
**Major update: New Python-based Supabase skill focused on user analytics and project queries.** - Replaced Bash script (`supabase.sh`) with a Python script (`supabase.py`) for all commands. - Simplified usage: Focused on counting users, listing signups, and checking user stats. - Improved setup instructions for securely managing credentials (environment, config, or interactive). - Now provides native commands for user analytics, signups, and project info with optional JSON output. - Clarifies the difference between legacy JWT keys and new format keys—JWT `service_role` key required for full capabilities. - Updated documentation for daily reports, GraphQL support, and robust security guidance.
More by @joelchance
Published by @joelchance on ClawHub
