supabase-database

This skill README documents expected operations for interacting with a Supabase REST API and is functionally consistent with its stated purpose. The primary security concerns are (1) handling of SUPABASE_KEY, especially the recommendation to use a service_role key which has full admin privileges and bypasses RLS, and (2) sourcing a helper script from a relative path (../../scripts/supabase-api.sh) which creates a supply-chain risk: whoever controls that file can execute arbitrary commands in the caller's shell. There are legitimate destructive operations (DELETE, UPDATE, RPC) described — appropriate for DB admin tasks but high-risk if keys are leaked or the helper script is tampered with. No direct signs of malware, obfuscation, or third-party exfiltration endpoints are present in this file. Recommended mitigations: avoid using service_role keys in client contexts, store keys in a secure vault or use short-lived scoped credentials, verify and pin the helper script contents (or vendor it), and restrict who can update the helper script to reduce supply-chain risk.