auth-configs
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- CREDENTIALS_UNSAFE (MEDIUM): The skill facilitates the use of the SUPABASE_SERVICE_ROLE_KEY, which grants full administrative access to a Supabase project. The setup-oauth-provider.sh script also stores OAuth Client Secrets in plain text within .env.local files.
- COMMAND_EXECUTION (MEDIUM): The provided setup script uses curl to send sensitive credentials to the Supabase API and sed to modify local configuration files. These operations are sensitive as they handle authentication secrets.
- PRIVILEGE_ESCALATION (LOW): The script recommends the use of sudo to install the jq dependency. While common for setup, recommending elevated privileges is a security concern.
- INDIRECT_PROMPT_INJECTION (LOW): The auth-helpers.ts file includes functions like getUserDisplayName that interpolate data from external OAuth providers directly into strings. This represents an ingestion point for untrusted data without sanitization. Ingestion points: user_metadata in auth-helpers.ts. Boundary markers: None. Capability inventory: Reusable frontend/backend helpers. Sanitization: None.
Audit Metadata