ClawHub

Byted Supabase

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Supabase administration skill, but it needs Review because some powerful database and secret-handling controls are under-enforced.

Install only if you intend to give the skill administrator-level access to Volcengine Supabase resources. Use least-privilege credentials, avoid revealing service-role keys in chat or logs, review all SQL and deployments before execution, and do not rely on READ_ONLY as a complete safety control until execute-sql and list-migrations are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to run a local Python CLI that inherently uses environment credentials, local files, and network access, but the skill does not declare permissions or constrain those capabilities. This creates a trust-boundary problem: an agent may invoke operations that access secrets or remote infrastructure without transparent permission signaling, increasing the risk of unintended data exposure or unauthorized changes.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The RLS example is presented as a quick enablement template, but the shown policies effectively allow anyone to select, insert, update, and delete all rows. In a Supabase management skill, users may copy this directly into production, believing they are improving security while actually disabling meaningful access control.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
`apply_migration` is decorated with `@read_only_check` but clearly performs writes: it creates schema/table, executes arbitrary migration SQL, and inserts a migration record. If callers rely on the read-only guard for safety policy enforcement, this mismatch can bypass operational restrictions and permit unauthorized destructive changes.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
`list_migrations` is named and presented as a read-style operation, but it issues `CREATE SCHEMA IF NOT EXISTS` and `CREATE TABLE IF NOT EXISTS` before selecting rows. That hidden side effect violates least surprise and can modify databases in contexts where callers expected a harmless inspection-only action.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code defines RESERVED_SLUGS and MAX_SLUG_LENGTH and calls _validate_function_name() before get/deploy/delete operations, but the validator is an empty no-op. This means untrusted function names are accepted despite documented constraints, allowing deployment or deletion attempts against reserved or malformed names and creating a mismatch between expected safety checks and actual behavior. In a management skill that directly performs live API operations, missing identifier validation increases the risk of unintended resource targeting, namespace collisions, and abuse of backend edge-function endpoints.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The helper returns and can optionally fully reveal both publishable keys and the service-role key, which is a highly privileged secret that can bypass normal client-side restrictions. In a user-facing workspace-management skill, exposing service-role credentials materially increases the blast radius of prompt abuse, operator mistakes, or downstream logging leaks.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The playbook includes UPDATE and DELETE examples without surrounding cautions about modifying live data, transaction use, backups, or environment verification. In an operational database-management skill, such examples can be executed directly by users and lead to accidental data loss or corruption.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section provides a copy-pastable policy set that makes a table fully readable and writable by the public, including delete access, without warning about exposure or privilege bypass. Given this skill is specifically for managing Supabase backends, the context makes the risk more severe because the guidance is likely to be applied to real hosted databases and APIs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow explicitly recommends using `get-keys` to retrieve workspace keys as part of routine connection setup, but it provides no caution about secret handling, least-privilege use, or avoiding unnecessary disclosure. In a Supabase management skill, credentials can grant broad database or API access, so normalizing key retrieval without guardrails increases the risk of accidental exposure, misuse, or leaking highly privileged secrets into logs or chat output.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The troubleshooting workflow suggests `execute-sql` for temporary queries without distinguishing read-only diagnostics from statements that can modify or destroy data. Because this skill manages live Supabase databases, presenting arbitrary SQL execution as a routine troubleshooting step can lead to accidental destructive changes, privilege abuse, or unsafe operations against production environments.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The Edge Function release steps include `deploy-edge-function` but do not warn that deployment changes live backend behavior and may affect authentication, data flows, or external integrations. In this skill's context, deploying functions is an operationally sensitive action, so omitting change-control cautions can cause unintended outages, logic regressions, or exposure of insecure code to production traffic.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This client exposes raw API keys, including service-role credentials, directly to callers and even caches them in-process. In the context of an agent skill that can be invoked from user-driven workflows, returning privileged secrets without strict authorization checks or masking can enable credential exfiltration and full backend compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
`execute_sql` exposes raw arbitrary SQL execution with no built-in restriction to read-only statements, no allowlist, and no visible confirmation workflow. In a skill that brokers database access through a local CLI, this greatly increases the risk of accidental or unauthorized destructive commands, privilege changes, or data exfiltration if upstream controls fail or are misused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`apply_migration` wraps and executes arbitrary migration SQL inside a transaction, enabling schema and data changes that may be destructive. Because this skill is explicitly for managing Supabase resources, the capability is expected, but the absence of a visible confirmation/approval gate or stronger write controls makes misuse materially dangerous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reveal flag allows full API key disclosure with no visible warning, secondary confirmation, or indication that highly sensitive credentials may be returned. Because this skill is intended for agent-mediated operations, silent secret disclosure is especially dangerous: a prompt injection or mistaken instruction could cause credential exfiltration directly into chat history, logs, or external integrations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal