supabase-extract-db-string

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs saving discovered connection strings (and even says "full value in context file"), forcing the agent to capture and output raw DB passwords/connection strings into context/evidence files, which is direct secret handling/exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly fetches and scans arbitrary public web targets (e.g., "Check for database connection strings on https://myapp.example.com") and inspects client-side bundles like /static/js/api.chunk.js, meaning it ingests untrusted third-party content that could carry indirect prompt-injection.