Critical-risk tools in Supabase
7 of the 63 tools in Supabase are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
delete_branchDestructiveDeletes a development branch.
-
reset_branchDestructiveResets migrations of a development branch. Any untracked data or schema changes will be lost.
-
sb_delete_bucketDestructiveDelete a storage bucket from Supabase. The bucket must be empty before deletion. Use sb_delete_objects to remove files first.
-
sb_delete_objectsDestructiveDelete one or more objects from a Supabase storage bucket. Provide an array of file paths to delete.
-
sb_delete_recordsDestructiveDelete records from a Supabase table matching a filter. Filter is REQUIRED to prevent accidental full-table deletion. Use sb_list_records first to verify which records will be d...
-
sb_delete_secretsDestructiveDelete secrets (environment variables) from a Supabase project by name.
-
sb_delete_userDestructiveDelete a user from Supabase Auth. This permanently removes the user and all their auth data.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.