supabase-vercel-shop

[Skill Scanner] Backtick command substitution detected This skill/documentation appears functionally consistent with its stated purpose and contains no clear malicious code. The primary security risks are operational: recommending use of a Supabase service-role key (high privilege) and using agent-managed connectors (mcp__supabase__*) which, if misconfigured or provided by an untrusted intermediary, could expose credentials or route requests through third parties. The aggressive ban on fallbacks can cause site outages or poor UX but is a design choice rather than malware. Recommend treating service role keys as highly sensitive secrets, using project-scoped MCPs only if you trust the connector operator, and adding explicit guidance on secret storage, rotation, and audit logging. LLM verification: The skill document is coherently aligned with its stated purpose. It advocates CMS-driven content from Supabase, enforces zero-hardcoding practices, and provides development-time checks to maintain that discipline. There is no evident malicious behavior, credential harvesting, or insecure data flow in the fragment. The documented workflow and tooling (pre-commit hooks, hardcode checks) are proportionate to the stated goal. Overall verdict: BENIGN.