codex-supabase

SUSPICIOUS: the skill's goal matches Supabase connectivity, but it uses a less-official local MCP package flow and forwards a Supabase API key to external code via command line. This is not clearly malicious, but the install path and credential handling are riskier than necessary for the stated purpose.