supabase-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed SUPABASE_ACCESS_TOKEN values directly in CLI commands and discusses supplying personal access tokens for MCP setup, which encourages placing secret keys verbatim into generated commands/outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Flagged because the skill explicitly instructs running a remote package with npx (npx -y @supabase/mcp-server-supabase@latest), which fetches and executes remote code during MCP server setup and is presented as a required dependency that can affect agent runtime behavior.