Supabase Developer
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata contains an installation command that fetches the skill markdown file from a remote GitHub repository hosted by an individual user (majiayu000).
- [COMMAND_EXECUTION]: The skill provides instructions for project initialization and management using the Supabase CLI (npx supabase) and package managers (npm install).
- [PROMPT_INJECTION]: The skill demonstrates patterns for fetching and displaying data from a database, creating an indirect prompt injection surface if the retrieved content contains malicious instructions.
- Ingestion points: Retrieval of data from 'posts' and 'comments' tables using the Supabase client library (SKILL.md).
- Boundary markers: Absent in the provided code snippets for displaying queried database content.
- Capability inventory: Includes the ability to execute shell commands and install packages for infrastructure management (SKILL.md).
- Sanitization: The skill's security best practices section explicitly recommends implementing input validation using libraries like Zod (SKILL.md).
Audit Metadata