That's an argument, I guess, for absolving Supabase for explicit responsibility for the resulting hilarity. It's not an argument that MCP prompt hacking is "not a serious security hole", which is the point I responded to upthread.

It's only a security hole if you give access to users though, right? If you are the one using the Supabase MCP, how is it any different than any other root access to a DB?

Because of lethal trifecta attacks: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

If you are the person using the LLM tool, a prompt injection attack in a database row that you are allowed to view could trick your LLM tool into taking actions that you don't want it to take, including leaking other data you are allowed to see via writing to other tables or using other MCP tools.

Good point. I suppose the answer here then is to not allow the Supabase MCP any exfiltration pathways.