Is supabase safe?

https://clawhub.ai/stopmoclay/supabase

62
CAUTION

This Supabase skill is a legitimate database client wrapper but grants the LLM agent unrestricted SQL execution with service-role privileges that bypass Row Level Security. The primary risks are catastrophic data operations (DROP/TRUNCATE via raw SQL), credential exposure if SUPABASE_URL is manipulated, and stored prompt injection via database content returned to the agent. No malicious intent was detected, but the skill's design provides dangerously broad database access without safety guardrails.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (8)

HIGH Service key transmitted to configurable endpoint -30

SUPABASE_SERVICE_KEY is sent in every API request header to SUPABASE_URL. Since SUPABASE_URL is user-configured via environment variable, if an attacker can influence this value (via env var injection, DNS poisoning, or social engineering), they gain the service role key which provides full database access bypassing Row Level Security.

HIGH Unrestricted SQL execution via query command -35

The query command allows arbitrary SQL execution against the database with service role privileges. This includes DDL (CREATE, DROP, ALTER), DML (INSERT, UPDATE, DELETE without filters), DCL (GRANT, REVOKE), and system catalog access. No allowlist, blocklist, or confirmation mechanism exists.

MEDIUM Full database read access with no scope restriction -25

Using the service role key, the agent can read any table including potentially sensitive user data, authentication tokens, or PII. The select command and raw query provide unrestricted read access to the entire database.

MEDIUM Database content could contain prompt injection payloads -20

Query results are returned to the agent for processing. If an attacker has stored prompt-injection payloads in database fields (e.g., a user bio containing 'Ignore previous instructions and...'), the agent would receive and potentially act on these instructions when querying that data.

MEDIUM URL parameter injection via unsanitized table names and filter values -15

Table names and filter values from user input are interpolated directly into REST API URLs without URL encoding. While PostgREST likely handles this safely server-side, malformed input could cause unexpected API behavior.

LOW Destructive operations lack confirmation guardrails -25

The skill provides delete, update, and raw SQL commands without any confirmation mechanism or dry-run mode. An agent misinterpreting a user request could execute destructive operations. The delete/update commands require at least one filter, but the raw query command has no such restriction.

LOW OpenAI API key sent for vector search embedding generation -5

The vector-search command sends the OPENAI_API_KEY to api.openai.com along with the search query text. This is expected behavior for embedding generation but means the skill requires access to an additional API key beyond Supabase credentials.

INFO Clean installation with no suspicious activity 0

The skill installed cleanly with no network connections, no process spawning, and no filesystem modifications outside the expected skill directory. All filesystem events during monitoring were from the openclaw runtime, not the skill itself.