backend-development

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The workflow explicitly instructs adding vault secrets with the user's actual local values into seed.sql and shows SQL like SELECT vault.create_secret('', '<secret_name>') which requires embedding secret values verbatim into generated files/commands, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill includes explicit guidance to accept and handle external webhooks (references/with_supabase.md — "public" endpoints) and an edge-function example that reads document content from the database and sends it to an LLM (references/edge_functions.md: callOpenAI(buildPrompt("summarize", doc.content)), so untrusted third-party or user-provided content is ingested and can directly influence downstream tool/API calls.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill uses a runtime HTTP call to invoke Edge Functions via the SUPABASE_URL Vault secret (e.g., http://host.docker.internal:54321/functions/v1/ or https://your-project.supabase.co/functions/v1/) from _internal_call_edge_function/_internal_call_edge_function_sync (pg_net net.http_post), which executes remote code and is a required dependency for the workflow.