flow-hybrid-search

SUSPICIOUS: the stated purpose is coherent, but the skill relies on executing an unpinned external CLI and forwards the API key through that CLI instead of documenting direct calls to the Supabase endpoint. With no supplied provenance evidence for the npm package or publisher relationship, the install/execution trust is only partially justified.