Critical-risk tools in Supabase
7 of the 63 tools in Supabase are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
delete_branchDestructive 4/5Deletes a development branch.
-
reset_branchDestructive 4/5Resets migrations of a development branch. Any untracked data or schema changes will be lost.
-
sb_delete_bucketDestructive 4/5Delete a storage bucket from Supabase. The bucket must be empty before deletion. Use sb_delete_objects to remove files first.
-
sb_delete_objectsDestructive 4/5Delete one or more objects from a Supabase storage bucket. Provide an array of file paths to delete.
-
sb_delete_recordsDestructive 4/5Delete records from a Supabase table matching a filter. Filter is REQUIRED to prevent accidental full-table deletion. Use sb_list_records first to verify which records will be d...
-
sb_delete_secretsDestructive 4/5Delete secrets (environment variables) from a Supabase project by name.
-
sb_delete_userDestructive 4/5Delete a user from Supabase Auth. This permanently removes the user and all their auth data.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.
More on Supabase
Enforce policy on Supabase
One command generates a policy scaffold for every server in your MCP config.
npx -y @policylayer/intercept init