security-supabase

The skill consists of a main SKILL.md file and 19 reference markdown files. Each reference file details a specific security best practice or common vulnerability pattern in Supabase, providing 'Incorrect' and 'Correct' SQL or TypeScript code examples. The skill's primary function is to serve as a security guide.

• Prompt Injection: No patterns detected. The skill's content is instructional and does not attempt to manipulate the AI's behavior.
• Data Exfiltration: No commands or code snippets are present that would exfiltrate data. The examples demonstrate how to prevent data exfiltration or unauthorized access within a Supabase project.
• Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, etc.) were detected in any of the files.
• Unverifiable Dependencies: The skill references external Supabase documentation URLs and uses standard, trusted Supabase client libraries (e.g., @supabase/supabase-js, @supabase/ssr, expo-auth-session) in its code examples. These are considered trusted sources and are used illustratively, not executed by the skill itself.
• Privilege Escalation: The skill discusses SECURITY DEFINER functions and sudo in the context of explaining how they can be misused or how to use them securely within a Supabase database. It does not attempt to perform privilege escalation itself.
• Persistence Mechanisms: No patterns detected. The skill does not attempt to establish persistence.
• Metadata Poisoning: The metadata fields (name, description, author, organization) are benign and accurately describe the skill's purpose.
• Indirect Prompt Injection: Not applicable, as the skill is informational and does not process external user-supplied content.
• Time-Delayed / Conditional Attacks: No patterns detected. The skill is a static collection of security advice and does not execute any code. Therefore, it is deemed safe.