Security Audit

supabase

github.com/Mrc220/agent_flywheel_clawdbot_skills_and_integrations

AI SkillCommit c7bd8e0f6900

CAUTION

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

supabase received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 4 findings: 2 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential for Command Injection via CLI arguments, Direct exposure of secrets management commands leading to credential harvesting, Potential for data exfiltration and arbitrary file access via storage commands.

The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. The llm_behavioral_safety layer scored lowest at 10/100, indicating areas for improvement.

Last analyzed on February 11, 2026 (commit c7bd8e0f). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

10%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

4 findings

Dynamic Code

3 findings

Excessive Permissions

3 findings

Security Findings4

Severity	Finding	Layer	Location
CRITICAL	Potential for Command Injection via CLI arguments The skill describes numerous `supabase` CLI commands that accept arguments (e.g., project IDs, migration names, function names, file paths, secret names, secret values). If an AI agent directly interpolates untrusted user input into these arguments without robust sanitization (e.g., escaping shell metacharacters), an attacker could inject arbitrary shell commands. This could lead to remote code execution, data manipulation, or system compromise on the host environment where the agent operates. Implement robust input validation and shell escaping for all user-provided arguments before executing `supabase` CLI commands. Use a safe subprocess execution method that avoids shell interpretation where possible, or explicitly quote/escape all arguments. Consider using a allow-list approach for argument values where feasible.	Unknown	SKILL.md:14
CRITICAL	Direct exposure of secrets management commands leading to credential harvesting The skill explicitly exposes `supabase secrets set` and `supabase secrets list` commands. If an AI agent allows untrusted user input to control the execution or arguments of these commands, an attacker could: 1) Instruct the agent to list existing secrets (`supabase secrets list`) and then exfiltrate them. 2) Instruct the agent to set a secret with a value controlled by the attacker (`supabase secrets set <NAME>=<value>`), potentially overwriting legitimate secrets or storing attacker-controlled data for later retrieval. This poses a severe risk of credential harvesting and unauthorized access. Strictly restrict access to `supabase secrets` commands. If secrets management is absolutely necessary, implement strong authorization, multi-factor authentication, and explicit user confirmation mechanisms. Never allow user-controlled values for secret names or values without extreme sanitization and explicit, human-verified consent. Ensure the output of `supabase secrets list` is never directly exposed or exfiltrated.	Unknown	SKILL.md:99
HIGH	Potential for data exfiltration and arbitrary file access via storage commands The `supabase storage cp` commands allow copying files between the local filesystem and Supabase storage. If an AI agent allows untrusted user input to specify local paths or bucket/object paths, an attacker could: 1) Instruct the agent to copy sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, environment variables) to Supabase storage, leading to data exfiltration. 2) Instruct the agent to download arbitrary files from Supabase storage to sensitive local paths, potentially overwriting critical system files or introducing malicious content. This also implies excessive permissions for filesystem access. Implement strict validation and allow-listing for all file paths and bucket/object names provided by untrusted input. Restrict the agent's filesystem access to only necessary, non-sensitive directories. Avoid allowing arbitrary local paths for read or write operations. Implement access controls to prevent copying of sensitive files.	Unknown	SKILL.md:87
HIGH	Potential for SQL Injection via `db execute` command The `supabase db execute --sql "..."` command allows executing arbitrary SQL queries against the Supabase database. If an AI agent constructs the SQL query string directly from untrusted user input without proper sanitization or parameterization, an attacker could inject malicious SQL. This could lead to unauthorized data access, modification, or deletion within the database. Depending on the database configuration, this could also potentially be leveraged for command injection if the underlying database or `supabase` CLI allows for shell escapes within SQL strings. Never construct SQL queries by directly concatenating untrusted user input. Always use parameterized queries or a robust SQL escaping mechanism provided by a database client library. Restrict the types of SQL operations an agent can perform (e.g., disallow DDL or DML operations if not strictly necessary).	Unknown	SKILL.md:29

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/b245f78f6c78a4c6.svg)](https://skillshield.io/report/b245f78f6c78a4c6)