supabase
Warn
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
querycommand inscripts/supabase.shallows the execution of arbitrary SQL strings. When used with theSUPABASE_SERVICE_KEY, which bypasses Row Level Security (RLS), the agent gains full administrative control over the database schema and data. - [EXTERNAL_DOWNLOADS]: The
vector-searchcommand fetches embeddings from OpenAI's official API (api.openai.com). This is a well-known service used for legitimate vector operations. - [PROMPT_INJECTION]: The skill processes data retrieved from database tables (via
selectorquery) and passes it back to the agent without sanitization or boundary markers, creating an indirect prompt injection surface. - Ingestion points: Data returned from Supabase REST and RPC endpoints in
scripts/supabase.sh. - Boundary markers: None identified in the script or instructions.
- Capability inventory: The skill can execute arbitrary SQL (
cmd_query), perform network requests viacurl, and call generic database functions (cmd_rpc). - Sanitization: The script uses
jqto properly encode outgoing JSON payloads and SQL strings, but it does not sanitize or validate incoming data from the database before presenting it to the agent.
Audit Metadata