ClawHub

Supabase

Security checks across malware telemetry and agentic risk

Overview

This Supabase skill is aligned with database administration, but it grants broad full-access database control and external embedding calls with limited safeguards.

Install only if you intend to give the agent administrator-level Supabase access. Prefer a restricted project/key or test database where possible, review every write/delete/raw-SQL action before running it, and do not use vector search with sensitive query text unless sending that text to OpenAI is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill exposes shell-command execution patterns but does not declare corresponding permissions, which undermines security review and least-privilege controls. In an agent context, this can cause operators to underestimate the capability surface and allow execution of database-affecting commands without explicit approval boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill description says it connects to Supabase, but the documentation also indicates use of OPENAI_API_KEY and OpenAI embeddings for vector search. This hidden dependency expands data flow to an additional third party, creating undisclosed exfiltration and compliance risk if user queries or documents are sent externally for embeddings.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The vector-search command transmits user-supplied query text to OpenAI to generate embeddings, adding a third-party data flow beyond Supabase operations. In a database skill, this creates an undisclosed external dependency and can leak sensitive search terms or proprietary data to a separate provider.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger language is broad enough to activate on many generic database, vector store, embedding, or Supabase-related requests. Over-broad invocation increases the chance that the agent routes unrelated or sensitive tasks into a high-privilege database skill, especially one using a service-role key that bypasses RLS.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation prominently includes update and delete operations without clear warnings, safeguards, or confirmation requirements. In this skill's context, those operations are especially risky because the documented service role key bypasses RLS, so an unintended invocation could modify or remove protected data at full privilege.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Documenting unrestricted raw SQL execution, including DDL like CREATE TABLE, enables schema-changing and potentially destructive operations with minimal friction. Because the skill is configured around a Supabase service role key that bypasses RLS, raw SQL materially raises the risk of full database compromise, data destruction, or unsafe privilege use if invoked improperly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User query text is sent to OpenAI without any warning, consent mechanism, or privacy notice. If users search with internal documents, credentials, personal data, or business-sensitive terms, that content may be exposed to an external service unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal