supabase-mcp-integration

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] hardcoded_secrets: Generic secret pattern detected (HS005) [AITech 8.2] [HIGH] hardcoded_secrets: Generic secret pattern detected (HS005) [AITech 8.2] [HIGH] hardcoded_secrets: Generic secret pattern detected (HS005) [AITech 8.2] [HIGH] hardcoded_secrets: Generic secret pattern detected (HS005) [AITech 8.2] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] hardcoded_secrets: Generic secret pattern detected (HS005) [AITech 8.2] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] No evidence of malicious code or supply-chain backdoors in this skill. It is an instructional/documentation skill for Supabase integration and its capabilities match the stated purpose. The primary risks are user/operational: example usage that logs tokens and shows service_role keys in .env could lead to accidental credential exposure if copied to client-side code or committed to repos. Recommend: strengthen warnings about service_role usage, remove or redact token-console logs in examples, and emphasize secure storage/usage patterns for privileged keys. LLM verification: This artifact is legitimate documentation and example code for Supabase integration. There is no direct evidence of malicious code or intentional obfuscation. Key security concerns are operational: presence of placeholder credentials in examples (copy-paste hazard), unpinned dependency installation advice (supply-chain risk), and guidance that could lead to accidental exposure of high-privilege service_role keys in client-side contexts. Recommended mitigations: remove or scrub placeholder secret