yoanbernabeu/supabase-pentest-skills
GitHubsupabase-audit-rls
Test Row Level Security (RLS) policies for common bypass vulnerabilities and misconfigurations.
supabase-pentest
Orchestrate a complete Supabase security audit with guided step-by-step execution and ownership confirmation.
supabase-help
Quick reference for all Supabase security audit skills with usage examples and command overview.
supabase-audit-auth-config
Analyze Supabase authentication configuration for security weaknesses and misconfigurations.
supabase-audit-realtime
Test Supabase Realtime WebSocket channels for unauthorized subscriptions and data exposure.
supabase-report
Generate a comprehensive Markdown security audit report with executive summary, findings, and remediation guidance.
supabase-extract-db-string
CRITICAL - Detect exposed PostgreSQL database connection strings in client-side code. Direct DB access is a P0 issue.
supabase-audit-tables-list
List all tables exposed via the Supabase PostgREST API to identify the attack surface.
supabase-audit-functions
Discover and test Supabase Edge Functions for security vulnerabilities and misconfigurations.
supabase-extract-service-key
CRITICAL - Detect if the Supabase service_role key is leaked in client-side code. This is a P0 severity issue.
supabase-audit-rpc
List and test exposed PostgreSQL RPC functions for security issues and potential RLS bypass.
supabase-extract-anon-key
Extract the Supabase anon/public API key from client-side code. This key is expected in client apps but important for RLS testing.
supabase-extract-url
Extract the Supabase project URL from client-side JavaScript code, environment variables, and configuration files.
supabase-detect
Detect if a web application uses Supabase by analyzing client-side code, network patterns, and API endpoints.
supabase-audit-buckets-list
List all storage buckets and their configuration to identify the storage attack surface.
supabase-audit-buckets-public
Identify storage buckets that are publicly accessible and may contain sensitive data.
supabase-audit-tables-read
Attempt to read data from exposed tables to verify actual data exposure and RLS effectiveness.
supabase-audit-auth-signup
Test if user signup is open and identify potential abuse vectors in the registration process.
supabase-extract-jwt
Extract and decode Supabase-related JWTs from client-side code, cookies, and local storage patterns.
supabase-audit-auth-users
Test for user enumeration vulnerabilities through various authentication endpoints.
supabase-report-compare
Compare two security audit reports to track remediation progress and identify new vulnerabilities.
supabase-audit-authenticated
Create a test user (with explicit permission) to audit what authenticated users can access vs anonymous users. Detects IDOR, cross-user access, and privilege escalation.
supabase-audit-buckets-read
Attempt to list and read files from storage buckets to verify access controls.
supabase-evidence
Initialize and manage the evidence collection directory for professional security audits with documented proof of findings.
supabase
Main entry point for Supabase security audits. Launch a complete audit or quickly access any toolkit feature.