supabase-splinter-review

This script is not inherently malware, but it contains high-risk operations for supply-chain attack and credential exposure: it downloads SQL from a (configurable) remote URL and executes it directly against a database, and it writes the DB connection URL (possibly including plaintext credentials) to disk. An attacker able to modify the SPLINTER_URL or the hosted SQL can cause arbitrary SQL execution (data exfiltration, modification, or destructive actions). Recommend treating the downloaded SQL as untrusted: pin to a specific commit or checksum, verify signatures, restrict execution privileges, avoid persisting credentials in metadata, and limit who can set SPLINTER_URL or run this script.