supabase-community/supabase-mcp

Minor capabilities, nothing alarming.

Outbound network 3

Environment variables (config / keys) 2

AI review

This is an official Supabase MCP server extension with no hidden instructions, prompt injection, or deceptive tool descriptions. The code accesses environment variables for authentication tokens as expected for its purpose, and network requests are made to legitimate Supabase API endpoints.

Model: deepseek-chat

Static findings

Outbound network · Makes outbound network requests

info .github/workflows/release.yml:159 fetch(url)

low packages/mcp-server-postgrest/src/server.ts:55 const response = await fetch(ensureTrailingSlash(apiUrl), {

low packages/mcp-server-supabase/src/content-api/graphql.ts:164 const response = await fetch(url, {

Environment variables (config / keys) · Reads environment variables (config / API keys)

low packages/mcp-server-supabase/src/transports/stdio.ts:51 const accessToken = cliAccessToken ?? process.env.SUPABASE_ACCESS_TOKEN;

low packages/mcp-server-supabase/vitest.setup.ts:5 if (!process.env.CI) {

Scanning every extension your team installs?

Pro & Team add monitoring, private scans, and a CI gate for unsafe extensions.

MCPVet is a heuristic aid, not a security guarantee. A clean grade does not prove an extension is safe; always review code and instructions you don't trust.