Supabase Complete Documentation
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (base64-block); human review is required before treating this skill as clean.
This skill appears safe as a documentation bundle. Before installing, understand that it contains many examples involving Supabase tokens, service-role keys, SQL, curl commands, and MCP database setup. Do not allow an agent to execute these examples or reveal credentials unless you have reviewed the exact command, target project, and permissions. ClawScan detected prompt-injection indicators (base64-block), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user runs examples without checking them, they could create projects, change databases, or incur usage costs.
The documentation includes command examples that can create or modify Supabase resources if a user chooses to run them.
curl -X POST https://api.supabase.com/v1/projects ... "db_pass": "<your-secure-password>"
Treat commands and SQL as reference material; require explicit user approval and review target project, organization, and environment before execution.
Mishandling these tokens or keys could expose Supabase project administration or service-role access.
The docs show use of a Supabase account access token to reveal project API keys, which is expected documentation but involves high-privilege credentials.
curl -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" ... "https://api.supabase.com/v1/projects/$PROJECT_REF/api-keys?reveal=true"
Use least-privilege tokens, avoid pasting secrets into shared chats, and confirm any key-revealing or service-role operation with the user first.
Adding this configuration could give an MCP-capable agent access to the connected database according to the connection string's privileges.
The documentation shows configuring an MCP Postgres server with a database connection string, which can expose database access to an agent workflow if the user installs it.
"command": "npx", "args": ["-y", "@modelcontextprotocol/server-postgres", "<connection-string>"]
Only configure MCP database access for trusted agents, use a scoped database role, and avoid using production or superuser credentials.
Users have less registry-level provenance for confirming that the bundled docs exactly match official Supabase documentation.
The registry metadata does not provide a verifiable source or homepage, although the README claims the docs were extracted from the Supabase GitHub repository.
Source: unknown; Homepage: none
For security-sensitive guidance, compare examples against the official Supabase documentation or repository before applying them.