Supabase ⚡

Security checks across malware telemetry and agentic risk

Overview

This Supabase helper mostly does what it says, but it asks for a full-admin database key and includes an under-disclosed SQL execution command that can exceed its read-only claims.

Review before installing. Use this only in trusted workspaces and on trusted machines, prefer environment variables or a secret manager over the plaintext config file, rotate the service_role key if exposed, avoid the query command unless you intentionally maintain a safe exec_sql RPC, and keep reports that include names or emails limited to people authorized to see user data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares no explicit permissions despite requiring environment variables, local file storage, shell execution, and network access to a highly privileged Supabase admin interface. This weakens user consent and review because the documentation normalizes use of a full-access service_role key while omitting a formal permission boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documented purpose frames the skill as simple analytics, but the content indicates broader administrative capabilities including credential collection/storage, table discovery, and potentially arbitrary query behavior. That mismatch can cause users to authorize a much more powerful integration than they intended, increasing the risk of data exposure or misuse.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is described as user analytics and database querying, but it also exposes arbitrary SQL execution through an RPC endpoint. That substantially expands capability beyond read-oriented analytics and can enable destructive writes, schema changes, or sensitive data extraction if the backing RPC is permissive and the service key is highly privileged.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script explicitly recommends full-access service_role JWT credentials for an analytics-oriented tool, violating least-privilege principles. If the host, config, or downstream RPC is abused, a service_role key can grant broad administrative access to user data and database operations.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: Using the broad trigger phrase "database" makes accidental invocation more likely in unrelated contexts. In a skill that uses privileged credentials and can expose user records, overly generic routing raises the chance of unintended access to sensitive data.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The examples encourage listing names and email addresses without a strong privacy warning or guidance on data minimization. Even if this is an intended admin workflow, normalizing display of PII in chat increases the risk of unnecessary exposure, logging, and sharing beyond those who need access.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The tool persists the Supabase service key to a local config file, which increases credential exposure risk if the host is compromised, backups are accessible, or users are unaware the secret is being stored. Although file permissions are tightened, the absence of an explicit warning and safer storage option makes this a real secret-handling weakness.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill retrieves and displays user account details such as email, names, providers, and signup timestamps through the admin API without any privacy warning or minimization. In the context of an analytics skill, exposing identifiable user data is broader and more sensitive than simple counts or aggregate metrics.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill transmits arbitrary SQL to a remote RPC endpoint without an explicit warning that the command may execute server-side with privileged database access. Combined with the recommendation to use service_role credentials, this creates a significant risk of destructive or privacy-impacting remote operations beyond the stated analytics use case.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill explicitly documents automated chat reports that include user names and email addresses on a recurring schedule. Routine delivery of PII into chat channels can create persistent secondary copies, broaden access, and leak personal data to unauthorized viewers or downstream systems.

Session Persistence

Medium

Category: Rogue Agent
Content: ``` **Option B: Manual config** Create `~/.supabase_config.json`: ```json { "url": "https://xxxxx.supabase.co",
Confidence: 78% confidence
Finding: Create `~/.supabase_config

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal