supabase-extract-anon-key

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs extracting and persistently writing the full anon API key into outputs, context files, logs, and evidence JSON, forcing the LLM to include secret values verbatim in generated output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses client-side code and network responses from target web applications (e.g., "Extract Supabase anon key from https://myapp.example.com" and files like /static/js/main.js or monitored network requests), which are untrusted third‑party sources that the agent reads and interprets as part of its workflow.