supabase
SKILL.md
Supabase Security Audit Toolkit
Main entry point for auditing Supabase application security.
Quick Start
# Full guided audit (recommended)
/supabase https://myapp.example.com
# Quick security check
/supabase check https://myapp.example.com
# Help and skills reference
/supabase help
Execution Modes
1. Full Audit (/supabase <url>)
Launches a complete security audit in 7 phases:
| Phase | Description | Skills Used |
|---|---|---|
| 0 | Initialization | supabase-evidence |
| 1 | Detection | supabase-detect |
| 2 | Key Extraction | supabase-extract-* |
| 3 | API Audit | supabase-audit-tables-*, supabase-audit-rls, supabase-audit-rpc |
| 4 | Storage Audit | supabase-audit-buckets-* |
| 5 | Auth Audit | supabase-audit-auth-*, supabase-audit-authenticated |
| 6 | Realtime & Functions | supabase-audit-realtime, supabase-audit-functions |
| 7 | Report | supabase-report |
Action: Equivalent to /supabase-pentest <url>
2. Quick Check (/supabase check <url>)
Performs a rapid security check in 3 steps:
- Detection - Confirms Supabase usage
- Extraction - Retrieves URL and anon key
- RLS Test - Verifies basic security policies
Result: Quick security overview without full report.
3. Help (/supabase help)
Displays the complete reference for all 24 available skills.
Action: Equivalent to /supabase-help
Skills Tree
supabase/ ← YOU ARE HERE (entry point)
│
├── orchestration/
│ ├── supabase-pentest → Full guided audit
│ └── supabase-help → Quick reference
│
├── evidence/
│ └── supabase-evidence → Evidence management
│
├── detection/
│ └── supabase-detect → Supabase detection
│
├── extraction/
│ ├── supabase-extract-url → Project URL
│ ├── supabase-extract-anon-key → Anon key (expected)
│ ├── supabase-extract-service-key → Service key (P0!)
│ ├── supabase-extract-jwt → JWT tokens
│ └── supabase-extract-db-string → DB connection (P0!)
│
├── audit-api/
│ ├── supabase-audit-tables-list → Table listing
│ ├── supabase-audit-tables-read → Data reading
│ ├── supabase-audit-rls → RLS policies
│ └── supabase-audit-rpc → RPC functions
│
├── audit-storage/
│ ├── supabase-audit-buckets-list → Bucket listing
│ ├── supabase-audit-buckets-read → File reading
│ └── supabase-audit-buckets-public → Public buckets
│
├── audit-auth/
│ ├── supabase-audit-auth-config → Auth configuration
│ ├── supabase-audit-auth-signup → Signup testing
│ ├── supabase-audit-auth-users → User enumeration
│ └── supabase-audit-authenticated → IDOR testing (with user)
│
├── audit-realtime/
│ └── supabase-audit-realtime → WebSocket channels
│
├── audit-functions/
│ └── supabase-audit-functions → Edge Functions
│
└── report/
├── supabase-report → Report generation
└── supabase-report-compare → Report comparison
Severity Levels
| Level | Indicator | Description |
|---|---|---|
| P0 | 🔴 CRITICAL | Data exposure, service key leaked, direct DB access |
| P1 | 🟠 HIGH | Sensitive data, security misconfiguration |
| P2 | 🟡 MEDIUM | Minor exposure, best practice violations |
Generated Files
| File | Description |
|---|---|
.sb-pentest-context.json |
Audit state and findings |
.sb-pentest-audit.log |
Chronological action log |
.sb-pentest-evidence/ |
Evidence directory |
supabase-audit-report.md |
Final report |
Common Workflows
Complete Security Audit
/supabase https://myapp.example.com
→ Follow guided steps
→ Report generated automatically
Pre-Production Check
/supabase check https://staging.myapp.com
→ Quick result in ~2 minutes
Storage-Focused Audit
/supabase-detect https://myapp.com
/supabase-audit-buckets-list
/supabase-audit-buckets-public
Comparison After Fixes
# Save previous report
mv supabase-audit-report.md audit-before.md
# Run new audit
/supabase https://myapp.com
# Compare
/supabase-report-compare audit-before.md supabase-audit-report.md
Prerequisites
- Public URL of the target application
- Authorization to test (owner or explicit permission)
- Internet connection
Security Notice
⚠️ AUTHORIZATION REQUIRED
Unauthorized security testing may violate laws
and terms of service.
Confirm you are authorized to test this application.
Direct Skill Access
Each skill can be invoked individually:
/supabase-detect <url> # Detection
/supabase-extract-anon-key # Key extraction
/supabase-audit-rls # RLS testing
/supabase-report # Report generation
For the complete list: /supabase help or /supabase-help
Support
- Documentation: Check the repository README
- Issues: Open an issue on GitHub
- Each skill has its own detailed documentation
Weekly Installs
1
Repository
yoanbernabeu/supabase-pentest-skillsFirst Seen
Jan 31, 2026
Installed on
claude-code1