supabase-skill
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill facilitates the installation and configuration of official Supabase components, such as
@supabase/mcp-server-supabaseand@supabase/supabase-js. These references are to well-known technology services and are documented neutrally per security guidelines. - [SAFE]: The documentation provides robust security guidance, including detailed patterns for Row Level Security (RLS), proper management of service role keys, and the use of
SECURITY DEFINERfunctions. It correctly warns users about the risks of RLS bypass and provides instructions for minimizing privilege. - [SAFE]: The skill explicitly addresses the risk of indirect prompt injection in MCP environments. It recommends best practices such as manual tool approval, read-only modes for exploration, and input sanitization, which are evidenced in the
references/mcp-setup.mdguide. - [SAFE]: Deterministic detector hits regarding
eval/execinreferences/mcp-setup.mdare false positives. The flagged text consists of security documentation that listsEXEC(andEXECUTE(as blocked patterns in a sanitization filter, rather than performing dangerous execution. - [SAFE]: Environment variables used in code examples and setup instructions (e.g.,
SUPABASE_ACCESS_TOKEN,NEXT_PUBLIC_SUPABASE_URL) correctly use placeholders or reference standard environment-based configuration, adhering to secure credential management practices.
Audit Metadata