supabase-project-creator

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to retrieve sensitive secrets from MCP memory (Google client secret, Apple private key, Supabase keys) and include them verbatim in the output/configuration steps, requiring the LLM to handle secrets directly.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill includes specific, non-generic APIs that query and confirm billing for a Supabase project: mcp__supabase__get_cost and mcp__supabase__confirm_cost (with recurrence and amount), and then mcp__supabase__create_project using a confirm_cost_id. Those calls explicitly authorize/confirm costs and tie resource creation to billing, which is direct financial execution (authorizing charges). Therefore it meets the criteria for a financial-execution-capable skill.