supabase-automation
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its interaction with external data sources.
- Ingestion points: Untrusted data enters the agent context through tools like
SUPABASE_SELECT_FROM_TABLEandSUPABASE_LIST_MEMBERS_OF_AN_ORGANIZATION(found inSKILL.md). - Boundary markers: There are no explicit instructions for the agent to use delimiters or to ignore embedded instructions within the retrieved data.
- Capability inventory: The skill includes the
SUPABASE_BETA_RUN_SQL_QUERYtool, which allows for the execution of arbitrary PostgreSQL statements (found inSKILL.md). - Sanitization: No sanitization, validation, or escaping logic is defined for the content processed from external queries.
- [DATA_EXFILTRATION]: The skill interacts with sensitive information, including service-role API keys via the
SUPABASE_GET_PROJECT_API_KEYStool. While it exposes these secrets to the agent, it correctly includes instructions to mask or truncate these values to prevent them from being leaked in the final output. - [COMMAND_EXECUTION]: The skill enables high-privilege database operations through the
SUPABASE_BETA_RUN_SQL_QUERYtool. Although this is the primary purpose of the skill, the ability to run arbitrary SQL poses a risk if the agent's instructions are influenced by malicious data retrieved during earlier steps in a workflow.
Audit Metadata