supabase-audit-buckets-read

Functionally, the skill is a legitimate read-only storage auditing tool that effectively identifies exposed files and secrets in Supabase buckets. It does not contain code that exfiltrates data to external third parties or obfuscated malware. The main security concern is operational: the mandatory progressive persistence and encouragement to download full backups and secret files to local disk significantly increase the risk that sensitive data will be retained, leaked, or mishandled on the operator's host. Recommend adding explicit safeguards: require operator confirmation before downloading large or high-severity files, recommend encrypted evidence storage (or ephemeral in-memory sampling and redaction), enforce minimal sampling (not full downloads) unless pre-authorized, include secure deletion guidance, and clearly separate remediation SQL examples from any read-only execution context.