mcp-supabase
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The 'execute_sql' tool allows the agent to run arbitrary SQL commands. Although the skill instructions include safety rules (like requiring WHERE clauses and user confirmation), these are only natural language constraints for the LLM and do not represent hard technical limitations of the tool itself.
- DATA_EXFILTRATION (HIGH): The skill has read access to the 'user_profiles' and 'share_links' tables, which contain sensitive PII (emails, Stripe IDs) and authentication tokens. An attacker or a compromised prompt could use 'execute_sql' to exfiltrate this data to an external log or via the agent's response.
- CREDENTIALS_UNSAFE (HIGH): The 'get_publishable_keys' tool and access to the 'token' column in the 'share_links' table expose credentials that could be used for unauthorized access to Supabase services.
- EXTERNAL_DOWNLOADS (HIGH): Automated security scans detected a malicious URL within 'sql.md', which is referenced by the skill as a location for planning and storing SQL operations.
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it ingests data from external sources (database records and logs). Malicious instructions stored in the database could be executed when the agent processes the results of its queries.
- Ingestion points: Results from 'execute_sql' and 'get_logs'.
- Boundary markers: None identified; no explicit delimiters or instructions to ignore data content are present.
- Capability inventory: 'execute_sql', 'apply_migration', 'deploy_edge_function'.
- Sanitization: No programmatic sanitization is evident; Rule 8 provides only a natural language instruction for masking.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata