yoanbernabeu/supabase-pentest-skills
Overview
This skill orchestrates a complete Supabase security audit with guided, step-by-step execution and enforced ownership confirmation. It runs detection, credential extraction, API and storage audits, RLS and auth checks, realtime/functions testing, and generates a comprehensive report. The orchestrator enforces progressive evidence collection and checkpoint verification so findings are preserved even if the audit is interrupted.
How this skill works
The skill runs the audit as a sequence of phases: initialization, detection, key extraction, API audit, storage audit, auth audit, realtime/functions audit, and report generation. Each phase logs actions before and after execution, saves evidence files immediately, and updates a centralized context file so the audit state is always recoverable. When available, Plan Mode is recommended to build and approve a multi-phase plan before execution.
When to use it
- Perform a full security assessment of a Supabase-based application
- Run an internal or pre-production security review before deployment
- Audit an application after a suspected security incident
- Conduct recurring security reviews as part of compliance or risk management
- Resume or continue a previously interrupted Supabase audit
Best practices
- Confirm explicit written authorization to test the target before starting
- Use Plan Mode when supported to validate scope and get user approval
- Run audits during low-traffic windows to reduce impact on production
- Write context and evidence files incrementally — after every discovery or action
- Verify required files and evidence exist before transitioning between phases
Example use cases
- Full audit of https://myapp.example.com with progressive evidence collection
- Resume an interrupted audit from Phase 3 (API Audit) using saved context
- Skip specific phases (for example, skip auth audit) to tailor scope
- Create a test user (with consent) to detect IDOR and cross-user access issues
- Generate a final Markdown report with executive summary and remediation steps
FAQ
Yes. You must own the application or have explicit written authorization to perform security testing.
What happens if the audit process is interrupted?
All findings and logs are written incrementally to context and evidence files so the audit can be resumed from the last saved checkpoint.
Is Plan Mode required?
Plan Mode is recommended for complex audits for better traceability, but the audit can proceed without it if unavailable.
15 skills
This skill orchestrates a comprehensive Supabase security audit, guiding phased testing and progressive evidence logging for reliable risk reporting.
This skill extracts the Supabase project URL from client-side code and config to enable rapid testing and targeted security auditing.
This skill inventories all Supabase storage buckets and configurations, highlighting public exposure and RLS gaps to strengthen storage security.
This skill identifies publicly accessible storage buckets in Supabase and provides actionable remediation guidance to prevent data exposure.
This skill verifies storage bucket access by listing files, reading metadata, and downloading samples to validate permissions and RLS policies.
This skill creates a test authenticated user to audit access gaps versus anonymous users and detect IDOR, cross-user access, and privilege escalation.
This skill audits Supabase Realtime channels for unauthorized subscriptions and data exposure, logging findings progressively for secure channel configuration.
This skill generates a comprehensive Supabase security audit report with executive summary, findings, and actionable remediation guidance for stakeholders.
This skill extracts and analyzes Supabase JWTs from client code and storage patterns to uncover exposure, risks, and misconfigurations.
This skill extracts the Supabase anon key from client code to enable secure testing and RLS verification across projects.
This skill detects Supabase usage in a web app by analyzing domain patterns, client libraries, and API endpoints to determine project presence.
This skill initializes and manages progressive evidence collection for professional security audits, ensuring immediate evidence saving and organized reporting.
This skill discovers and tests Supabase Edge Functions for security issues, reporting findings and actionable fixes to strengthen your project.
This skill detects leaked service_role keys in client-side code during security audits, ensuring immediate remediation and safe Supabase usage.
This skill tests signup open/blocked and detects abuse vectors in registration, providing actionable findings for Supabase authentication security.