supabase-postgres-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFE
Full Analysis
- EXTERNAL_DOWNLOADS (INFO): The skill references the
@supabase/mcp-serverpackage vianpx. As Supabase is an identified trusted organization, this is considered a safe recommendation for the intended use case. - SECURITY_BEST_PRACTICES (SAFE): The skill explicitly teaches defensive programming and database security. For example, it correctly instructs the use of
set search_path = ''forsecurity definerfunctions to prevent search-path hijacking attacks. - DATA_EXPOSURE (SAFE): All references to API keys and credentials (e.g.,
SUPABASE_SERVICE_ROLE_KEY,password) use clear placeholders likeyour-service-role-keyorxxx. No real secrets are hardcoded. - COMMAND_EXECUTION (SAFE): While the skill mentions the Supabase MCP server which can execute queries, this is presented as a configuration for a separate official tool from a trusted vendor, not as a malicious command embedded in the skill's own logic.
Audit Metadata