critical
suspicious.exposed_secret_literal
- Location
- references/guides/ai/integrations/roboflow.mdx:56
- Finding
- File appears to expose a hardcoded API secret or token.
Supabase Complete Documentation
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (16)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If an agent or user runs examples without checking them, they could create projects, change databases, or incur usage costs.
Why it was flagged
The documentation includes command examples that can create or modify Supabase resources if a user chooses to run them.
Skill content
curl -X POST https://api.supabase.com/v1/projects ... "db_pass": "<your-secure-password>"
Recommendation
Treat commands and SQL as reference material; require explicit user approval and review target project, organization, and environment before execution.
What this means
Mishandling these tokens or keys could expose Supabase project administration or service-role access.
Why it was flagged
The docs show use of a Supabase account access token to reveal project API keys, which is expected documentation but involves high-privilege credentials.
Skill content
curl -H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN" ... "https://api.supabase.com/v1/projects/$PROJECT_REF/api-keys?reveal=true"
Recommendation
Use least-privilege tokens, avoid pasting secrets into shared chats, and confirm any key-revealing or service-role operation with the user first.
What this means
Adding this configuration could give an MCP-capable agent access to the connected database according to the connection string's privileges.
Why it was flagged
The documentation shows configuring an MCP Postgres server with a database connection string, which can expose database access to an agent workflow if the user installs it.
Skill content
"command": "npx", "args": ["-y", "@modelcontextprotocol/server-postgres", "<connection-string>"]
Recommendation
Only configure MCP database access for trusted agents, use a scoped database role, and avoid using production or superuser credentials.
What this means
Users have less registry-level provenance for confirming that the bundled docs exactly match official Supabase documentation.
Why it was flagged
The registry metadata does not provide a verifiable source or homepage, although the README claims the docs were extracted from the Supabase GitHub repository.
Skill content
Source: unknown; Homepage: none
Recommendation
For security-sensitive guidance, compare examples against the official Supabase documentation or repository before applying them.
Findings (16)
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/auth-identity-linking.mdx:109
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/jwts.mdx:136
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/quickstarts/with-expo-react-native-social-auth.mdx:637
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/social-login/auth-facebook.mdx:182
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/social-login/auth-google.mdx:148
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/third-party/auth0.mdx:66
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/third-party/aws-cognito.mdx:58
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/third-party/clerk.mdx:80
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/auth/third-party/firebase-auth.mdx:78
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/functions/examples/amazon-bedrock-image-generator.mdx:135
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/functions/examples/push-notifications.mdx:204
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/functions/quickstart.mdx:126
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/getting-started/tutorials/with-kotlin.mdx:71
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/platform/migrating-to-supabase/auth0.mdx:108
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- references/guides/storage/uploads/resumable-uploads.mdx:272
- Finding
- File appears to expose a hardcoded API secret or token.