supabase

SUSPICIOUS: the skill’s core behavior is coherent with its stated function, but it is not a direct Supabase integration. It requires users to trust Membrane as an intermediary for authentication, credential handling, and all Supabase API traffic, which is a meaningful scope and data-flow expansion. The npm-based CLI source appears vendor-consistent and not overtly malicious, but the mutable `latest` install and third-party credential/API mediation raise medium security concerns.