supabase-extract-service-key

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's templates and required outputs explicitly display the exposed service_role token (and ask for evidence/code snippets showing it), so the LLM would need to include secret values verbatim in its generated reports/files.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and scans untrusted public web content — e.g., the target application's HTML, JavaScript bundles and exposed source maps (e.g., https://myapp.example.com and /static/js/*.map) — and parses/decodes that content as part of its workflow, so it consumes arbitrary third‑party data that could carry indirect prompt injections.