supabase
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill explicitly includes the
Bashtool in itsallowed-toolslist. This enables arbitrary shell command execution on the host system, which is a high-severity capability for an AI agent. - REMOTE_CODE_EXECUTION (HIGH): An automated scanner (URLite) flagged a malicious URL (
URL:Blacklist|URE40E38848FEE8F9C-0200) associated with thesql.mdartifact mentioned in the skill's operational pipeline. This indicates the presence of a blacklisted external reference within the skill's logic. - DATA_EXFILTRATION (HIGH): The skill has access to highly sensitive database fields, including user emails, access tokens, and Stripe customer IDs, as documented in
schema.md. The combination of this data access with bothWebFetchandBashtools creates a significant technical path for data exfiltration, despite instruction-level masking requirements. - EXTERNAL_DOWNLOADS (LOW): The skill documentation recommends installing the Supabase CLI globally (
npm install -g supabase) and running local build commands (npm install) which involve downloading and executing external code packages. - INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data from database query results (e.g., user profile content) and system logs, which are then processed in a context where the agent has shell access. Evidence chain: 1. Ingestion points:
execute_sqlandget_logsoutput. 2. Boundary markers: Absent from instructions for data processing. 3. Capability inventory: Bash, WebFetch, and full Supabase tool suite. 4. Sanitization: Masking is required for specific credentials, but general content is not sanitized before being used in reasoning or potentially passed to tools.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata