Back to skill

Security audit

Ecosincronia Supabase

Security checks across malware telemetry and agentic risk

Overview

This Supabase database skill appears purpose-aligned, but it gives an agent high-impact database authority and sends vector-search text to OpenAI without clear user-facing disclosure or guardrails.

Install only if you intentionally want an agent-operated Supabase admin tool. Use a least-privileged key or a staging project where possible, avoid production service-role credentials unless necessary, require explicit confirmation before writes/deletes/raw SQL/schema changes, and treat vector-search queries as data that may be sent to OpenAI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell-based database operations but does not declare corresponding permissions, which weakens reviewability and can cause the agent to invoke powerful command execution unexpectedly. In this context, the shell capability can run read/write/destructive Supabase operations using a service-role key, making undeclared capability use especially risky.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a Supabase database tool, but vector search may send user query text to OpenAI for embeddings via OPENAI_API_KEY, introducing undisclosed third-party data egress. This mismatch can cause sensitive prompts or database-related queries to be transmitted outside the expected service boundary without informed consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The vector-search command transmits the user’s query text to OpenAI to generate embeddings, which introduces a third-party data flow outside Supabase. This is security-relevant because users may assume their database/vector queries stay within Supabase, and sensitive search terms or embedded data can be disclosed to an external provider without clear justification or consent.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger text is broad enough to activate on many generic database, vector store, or embedding requests, increasing the chance this powerful skill is selected in situations where it is unnecessary or inappropriate. Because the skill supports raw SQL and destructive operations with a high-privilege service key, overbroad activation materially raises misuse risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation normalizes insert, update, and delete commands without prominently warning that they modify or remove production data. In a skill intended for agent use, examples can directly shape behavior, so missing safety warnings increase the likelihood of accidental destructive actions against live databases.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Raw SQL examples include schema-changing statements like CREATE TABLE but do not warn that arbitrary SQL can irreversibly alter schema, data, permissions, or availability. Given that the skill uses a Supabase service-role key that bypasses RLS, unsafe SQL execution in this context can have broad and immediate impact.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends user-provided query text to OpenAI for embeddings without any user-facing warning, prompt, or disclosure. In a database-focused skill, this creates a meaningful privacy and data-handling risk because search queries may contain proprietary, personal, or otherwise sensitive information that users do not expect to leave the Supabase environment.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.