Supabase Hakke

Security checks across malware telemetry and agentic risk

Overview

This is a Supabase setup guide with powerful but visible admin commands, not hidden code or automatic execution.

Use this only for the intended Hakke Supabase project or after changing paths and project refs. Verify the active Supabase project before migrations, never run `db reset` on production, keep `SUPABASE_SERVICE_ROLE_KEY` server-side in protected secrets, and replace the server-client example with a cookie-aware Supabase SSR client before relying on authenticated RLS behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documented "server client" example is misleading because it creates a generic Supabase client with the public anon key and does not bind auth to the incoming request cookies/session. In a Next.js server context, this can cause developers to believe they are operating on behalf of the logged-in user when they are actually using an unauthenticated client, leading to broken authorization assumptions, incorrect RLS behavior, and accidental insecure workarounds.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal