g14wxz/database-webhook-trigger-pattern
Configures Postgres triggers and database webhooks for event-driven architectures in Supabase.
97
97%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Security
2 findings — 1 critical severity, 1 high severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
E006: Malicious code pattern detected in skill scripts
What this means
Detected high-risk code patterns in the skill content — including its prompts, tool definitions, and resources — such as data exfiltration, backdoors, remote code execution, credential theft, system compromise, supply chain attacks, and obfuscation techniques.
Why it was flagged
Malicious code pattern detected (high risk: 0.90). This skill directly instructs creating database triggers that POST row data via pg_net to arbitrary endpoints on INSERT/UPDATE/DELETE, enabling straightforward data exfiltration and a persistent covert channel/backdoor if pointed at untrusted external hosts.
W007: Insecure credential handling detected in skill instructions
What this means
The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.
Why it was flagged
Insecure credential handling detected (high risk: 0.80). The skill requires inserting the operator-provided webhook URL verbatim into the trigger SQL and into the verification report (the "Destination Endpoint"), which would expose any secret or token contained in that URL through the agent's output — creating an exfiltration risk.
- Audited
- Security analysis