supabase-server

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt contains examples that embed secret values verbatim (e.g., apikey header with sb_secret_..., CLI commands like supabase secrets set STRIPE_SECRET_KEY=sk_live_...), which encourages including real secrets directly in generated code or commands and thus creates an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes a Stripe webhook example: it imports the Stripe SDK, references STRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET, constructs/verifies webhook events, and updates order status (e.g., on checkout.session.completed). This is a specific payment gateway integration (Stripe), not a generic API or browser automation, so it constitutes direct financial execution capability.