supabase-setup
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill scans the local codebase (TypeScript interfaces and mock data) to infer database schemas. This creates a surface for indirect prompt injection if an attacker includes malicious instructions in code comments. However, the risk is minimal as the agent uses this data specifically for schema inference. Ingestion points: codebase scanning for TS files and mock data. Boundary markers: absent. Capability inventory: file system writes, network operations via CLI, and package installation. Sanitization: absent.
- [External Downloads] (SAFE): The skill uses Homebrew and NPM to install official Supabase tools. These are trusted, well-known sources consistent with the skill's primary purpose.
- [Credentials Unsafe] (SAFE): The skill correctly avoids hardcoding secrets. It prompts the user to generate a strong password and manually populate .env.local with API keys, then ensures the environment file is added to .gitignore.
Audit Metadata