v0.2.0 · live
CAPFRAME
← leaderboard/Supabase MCP/tool · create_branch
§ toolsandboxSupabase MCP

create_branch

on npm:@supabase/mcp-server-supabase@0.8.1

Severity

critical1
high1
medium1
low0
info0

3 findings on this tool

  1. criticalexcessive agencyf-r7-create_branch

    Tool `create_branch` exposes a code/command execution surface

    `create_branch` looks like it executes code or shell commands (Creates a development branch on a Supabase project. This will apply all migrations from the main project to a fresh branch database. Note that production data will not carry over. The branch will get its own project_id via the resulting project_ref. Use this ID to execute queries and migrations on the branch.). Arbitrary execution is the maximal authority a tool can hold -- it subsumes every other caveat, so it should never be exposed to an agent without a hard sandbox and an explicit, narrowly-scoped capability.

    fix: Do not expose raw code/shell execution to an agent. If unavoidable, run it in a disposable sandbox with no network + no host FS, gate it behind a capframe-bind capability scoped to an allow-list of commands, and require holder-of-key proof per call.

    OWASP LLM08NIST MANAGE-2.2ATLAS T0051
  2. highexcessive agencyf-r3-create_branch

    Tool `create_branch` name implies a side effect that is not declared

    `create_branch` looks like a side-effecting tool (its name contains a mutation verb), but its `side_effects` declaration is []. A policy synthesizer cannot produce safe rules for this tool because it cannot tell what it actually does.

    fix: Declare the tool's true side effects explicitly. If the tool is genuinely read-only, rename it to match (e.g. `email.preview` rather than `email.send`).

    OWASP LLM08NIST MEASURE-2.6ATLAS T0051
  3. mediumunconstrained inputf-r1-create_branch

    Tool `create_branch` accepts unconstrained string input

    The following string parameter(s) have no `maxLength` constraint: `confirm_cost_id`, `name`, `project_id`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

    OWASP LLM01NIST MEASURE-2.3ATLAS T0051

About this tool

create_branch is one of 29 tools exposed by Supabase MCP. The server scored 10/100 overall against the capframe rule engine (source: sandbox). Last scanned 2026-06-05.

The findings above are emitted by the public capframe.findings.v1 schema. Disagree with one? Open an issue.