supabase-evidence
SKILL.md
Evidence Collection Management
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write evidence files AS YOU GO, not just at the end.
- Save each piece of evidence IMMEDIATELY after collection
- DO NOT wait until the skill completes to save evidence
- If the audit crashes or is interrupted, all prior evidence must already be saved
This is not optional. Failure to save evidence progressively is a critical error.
This skill initializes and manages the evidence collection system for professional security audits.
When to Use This Skill
- Automatically invoked at the start of
supabase-pentest - When you need to organize evidence for a professional report
- When conducting audits that require documented proof
- For compliance and legal purposes
Why Evidence Collection Matters
Professional security audits require:
| Requirement | Purpose |
|---|---|
| Reproducibility | Others can verify findings |
| Legal proof | Documentation for legal/compliance |
| Remediation verification | Prove issues existed before fix |
| Audit trail | Complete record of what was tested |
Evidence Directory Structure
The skill creates .sb-pentest-evidence/ with this structure:
.sb-pentest-evidence/
├── README.md # Evidence index and summary
├── curl-commands.sh # All curl commands used (reproducible)
├── timeline.md # Chronological evidence timeline
│
├── 01-detection/
│ ├── initial-scan.json # Raw detection results
│ ├── supabase-endpoints.txt # Discovered endpoints
│ └── client-code-snippets/ # Relevant code excerpts
│ └── supabase-init.js
│
├── 02-extraction/
│ ├── extracted-url.json # URL extraction proof
│ ├── extracted-anon-key.json # Anon key with decoded JWT
│ ├── extracted-jwts.json # All JWTs found
│ ├── service-key-exposure/ # If service key found (P0)
│ │ ├── location.txt
│ │ └── decoded-payload.json
│ └── db-string-exposure/ # If DB string found (P0)
│ └── connection-details.json
│
├── 03-api-audit/
│ ├── openapi-schema.json # Raw OpenAPI/PostgREST schema
│ ├── tables/
│ │ ├── tables-list.json # All exposed tables
│ │ └── tables-metadata.json # Column details per table
│ ├── data-samples/ # Sample data retrieved (redacted)
│ │ ├── users-sample.json
│ │ ├── orders-sample.json
│ │ └── ...
│ ├── rls-tests/ # RLS policy test results
│ │ ├── users-anon.json # Anon access attempt
│ │ ├── users-auth.json # Authenticated access
│ │ └── cross-user-test.json # Cross-user access attempt
│ └── rpc-tests/ # RPC function test results
│ ├── function-list.json
│ └── vulnerable-functions/
│ └── get-all-users.json
│
├── 04-storage-audit/
│ ├── buckets-config.json # Bucket configurations
│ ├── buckets/
│ │ ├── avatars/
│ │ │ └── file-list.json
│ │ ├── backups/ # If sensitive (P0)
│ │ │ ├── file-list.json
│ │ │ └── sample-contents/ # Redacted samples
│ │ └── ...
│ └── public-url-tests/ # Direct URL access tests
│ └── backup-access.json
│
├── 05-auth-audit/
│ ├── auth-settings.json # Auth configuration
│ ├── signup-tests/
│ │ ├── open-signup.json # Signup availability
│ │ ├── weak-password.json # Weak password test
│ │ └── rate-limit.json # Rate limiting test
│ └── enumeration-tests/
│ ├── login-timing.json # Timing attack data
│ ├── recovery-timing.json
│ └── otp-enumeration.json
│
├── 06-realtime-audit/
│ ├── websocket-connection.json
│ ├── postgres-changes/ # Table subscription tests
│ │ └── users-streaming.json
│ ├── broadcast-channels/ # Channel access tests
│ │ └── admin-channel.json
│ └── presence-data/
│ └── exposed-users.json
│
├── 07-functions-audit/
│ ├── discovered-functions.json
│ └── function-tests/
│ ├── hello-world.json
│ ├── get-user-data-idor.json
│ └── admin-panel-escalation.json
│
└── screenshots/ # Optional: browser screenshots
└── ...
Usage
Initialize Evidence Directory
Initialize evidence collection for audit
Manual Evidence Save
Save evidence: [description] to [category]
Evidence File Format
Each evidence file follows this structure:
{
"evidence_id": "API-001",
"timestamp": "2025-01-31T10:30:00Z",
"category": "api-audit",
"type": "data-sample",
"finding_id": "P0-001",
"description": "Users table data accessible without authentication",
"request": {
"method": "GET",
"url": "https://abc123.supabase.co/rest/v1/users?select=*&limit=5",
"headers": {
"apikey": "[REDACTED - anon key]",
"Authorization": "Bearer [REDACTED - anon key]"
},
"curl_command": "curl -X GET 'https://abc123.supabase.co/rest/v1/users?select=*&limit=5' -H 'apikey: eyJ...' -H 'Authorization: Bearer eyJ...'"
},
"response": {
"status": 200,
"headers": {
"content-type": "application/json",
"x-total-count": "1247"
},
"body": [
{
"id": "550e8400-e29b-41d4-a716-446655440001",
"email": "[REDACTED]@example.com",
"name": "[REDACTED]",
"created_at": "2025-01-15T10:30:00Z"
}
],
"body_redacted": true,
"total_rows_indicated": 1247
},
"analysis": {
"severity": "P0",
"impact": "All user PII accessible without authentication",
"affected_data": ["email", "name", "id"],
"row_count": 1247
}
}
Curl Commands File
All curl commands are collected in curl-commands.sh:
#!/bin/bash
# Supabase Security Audit - Reproducible Commands
# Target: https://myapp.example.com
# Project: abc123def.supabase.co
# Date: 2025-01-31
#
# IMPORTANT: Replace [ANON_KEY] with actual key before running
# WARNING: These commands may modify data - use with caution
SUPABASE_URL="https://abc123def.supabase.co"
ANON_KEY="eyJ..."
# === DETECTION ===
# Check if Supabase is used
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100
# === TABLE LISTING ===
# Get OpenAPI schema (list all tables)
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY"
# === DATA ACCESS TESTS ===
# Test: Users table (P0 - should be blocked)
curl -s "$SUPABASE_URL/rest/v1/users?select=*&limit=5" \
-H "apikey: $ANON_KEY" \
-H "Authorization: Bearer $ANON_KEY"
# Test: Orders table (should be blocked by RLS)
curl -s "$SUPABASE_URL/rest/v1/orders?select=*&limit=5" \
-H "apikey: $ANON_KEY" \
-H "Authorization: Bearer $ANON_KEY"
# === RLS BYPASS TESTS ===
# ... additional commands ...
Timeline File
The timeline.md provides chronological evidence:
# Audit Timeline
## 2025-01-31 10:00:00 - Audit Started
- Target: https://myapp.example.com
- Authorization confirmed
## 2025-01-31 10:05:00 - Detection Phase
- Supabase detected with high confidence
- Project URL: https://abc123def.supabase.co
- Evidence: `01-detection/initial-scan.json`
## 2025-01-31 10:10:00 - P0 CRITICAL: Service Key Exposed
- Service role key found in client code
- Location: /static/js/admin.chunk.js:89
- Evidence: `02-extraction/service-key-exposure/`
## 2025-01-31 10:15:00 - API Audit Started
- 8 tables discovered
- Evidence: `03-api-audit/tables/tables-list.json`
## 2025-01-31 10:20:00 - P0 CRITICAL: Users Table Exposed
- All 1,247 user records accessible
- PII exposed: email, name
- Evidence: `03-api-audit/data-samples/users-sample.json`
...
Context Output
Updates .sb-pentest-context.json:
{
"evidence": {
"directory": ".sb-pentest-evidence",
"initialized_at": "2025-01-31T10:00:00Z",
"files_count": 45,
"categories": {
"detection": 3,
"extraction": 5,
"api-audit": 15,
"storage-audit": 8,
"auth-audit": 7,
"realtime-audit": 4,
"functions-audit": 3
},
"critical_evidence": [
"02-extraction/service-key-exposure/",
"03-api-audit/data-samples/users-sample.json",
"04-storage-audit/buckets/backups/"
]
}
}
Evidence Collection Rules
What to Collect
| Category | Evidence Type | Example |
|---|---|---|
| Always | Raw API responses | JSON responses |
| Always | Curl commands | Reproducible commands |
| Always | Timestamps | When each test occurred |
| P0/P1 | Data samples (redacted) | Sample rows with PII masked |
| P0 | Full request/response | Complete HTTP exchange |
| Optional | Screenshots | Browser evidence |
Redaction Rules
Sensitive data MUST be redacted in evidence files:
{
"original": "john.doe@example.com",
"redacted": "[REDACTED]@example.com"
}
{
"original": "John Doe",
"redacted": "[REDACTED]"
}
{
"original": "sk_live_xxxxxxxxxxxxxxxxxxxx",
"redacted": "sk_live_[REDACTED]"
}
NEVER store in evidence:
- Actual passwords
- Full credit card numbers
- Full API keys (show first/last 4 chars only)
- Full personal data (partial redaction required)
Naming Conventions
[category]-[test-name]-[timestamp].json
Examples:
users-anon-access-20250131-103000.jsonadmin-function-no-auth-20250131-143000.json
MANDATORY: Evidence File Updates
⚠️ Evidence MUST be saved PROGRESSIVELY during execution.
Critical Rule: Save As You Go
DO NOT batch all evidence at the end. Instead:
- Before each test → Create evidence file placeholder
- After each request → Save request details immediately
- After each response → Save response immediately
- After analysis → Add analysis to evidence file
Directory Initialization
At audit start, create:
mkdir -p .sb-pentest-evidence/{01-detection,02-extraction,03-api-audit/tables,03-api-audit/data-samples,03-api-audit/rls-tests,03-api-audit/rpc-tests,04-storage-audit/buckets,04-storage-audit/public-url-tests,05-auth-audit/signup-tests,05-auth-audit/enumeration-tests,06-realtime-audit/postgres-changes,06-realtime-audit/broadcast-channels,07-functions-audit/function-tests,screenshots}
Log to Audit Log
[TIMESTAMP] [supabase-evidence] [START] Initializing evidence directory
[TIMESTAMP] [supabase-evidence] [CREATED] .sb-pentest-evidence/
[TIMESTAMP] [supabase-evidence] [CONTEXT_UPDATED] Evidence tracking initialized
Integration with Other Skills
This skill is automatically invoked by supabase-pentest. Each audit skill should:
- Save evidence to the appropriate subdirectory
- Use consistent naming conventions
- Add entries to
curl-commands.sh - Update
timeline.mdfor significant findings
Related Skills
supabase-pentest— Orchestrator that initializes evidence collectionsupabase-report— Uses evidence for comprehensive reporting- All audit skills — Contribute evidence to their respective directories
Weekly Installs
37
Repository
yoanbernabeu/supabase-pentest-skillsFirst Seen
Jan 31, 2026
Installed on
claude-code34
gemini-cli15
antigravity15
cursor15
opencode14
codex14