supabase-setup

[Skill Scanner] Installation of third-party script detected This skill's instructions and capabilities are consistent with its stated purpose and use official tooling and endpoints. I find no signs of obfuscation, credential harvesting to third-party endpoints, or download-and-execute supply-chain tricks. The primary risks are operational (applying generated migrations to a hosted database without an explicit review step) and the normal supply-chain risk of installing CLIs and npm packages from official registries. Overall this is benign but requires user caution (review generated SQL, protect non-client keys, ensure .env.local is not committed). LLM verification: This skill's capabilities match its stated purpose and it uses official tools (Homebrew, npm, Supabase CLI). There are no signs of covert credential harvesting or exfiltration; the flows point to Supabase (the intended target). However, the skill explicitly instructs operators to install external CLIs and run commands that download and execute code, and it also runs high-impact operations (project creation and supabase db push) which can modify live infrastructure. Those supply-chain and high-im