Back to skill

Security audit

Supabase LangGraph Checkpointer

Security checks across malware telemetry and agentic risk

Overview

This skill coherently stores LangGraph checkpoints in the user's Supabase project, but users need to protect the Supabase key and checkpoint data.

Install only if you are comfortable storing LangGraph checkpoint data in your Supabase project. Keep any service role key server-side and out of prompts, browser code, and logs; prefer the least-privileged key that works; and avoid checkpointing secrets or regulated data unless you have appropriate access controls, retention, and encryption in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly promotes use of a Supabase service role key but does not warn that this credential is highly privileged and can bypass normal row-level security controls. In the context of checkpointing, this can expose conversation state, tool outputs, and other sensitive application data if the key is mishandled, logged, or reused insecurely, and the description also omits any security guidance about transmitting that data to a remote REST endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal