Repository inventory

yoanbernabeu/supabase-pentest-skills

Skills indexed from this repository, with install-style signals scoped to the repo.
15 skills405 GitHub stars0 weekly installsGitHubOwner profile

Overview

This skill orchestrates a complete Supabase security audit with guided, step-by-step execution and enforced ownership confirmation. It runs detection, credential extraction, API and storage audits, RLS and auth checks, realtime/functions testing, and generates a comprehensive report. The orchestrator enforces progressive evidence collection and checkpoint verification so findings are preserved even if the audit is interrupted.

How this skill works

The skill runs the audit as a sequence of phases: initialization, detection, key extraction, API audit, storage audit, auth audit, realtime/functions audit, and report generation. Each phase logs actions before and after execution, saves evidence files immediately, and updates a centralized context file so the audit state is always recoverable. When available, Plan Mode is recommended to build and approve a multi-phase plan before execution.

When to use it

  • Perform a full security assessment of a Supabase-based application
  • Run an internal or pre-production security review before deployment
  • Audit an application after a suspected security incident
  • Conduct recurring security reviews as part of compliance or risk management
  • Resume or continue a previously interrupted Supabase audit

Best practices

  • Confirm explicit written authorization to test the target before starting
  • Use Plan Mode when supported to validate scope and get user approval
  • Run audits during low-traffic windows to reduce impact on production
  • Write context and evidence files incrementally — after every discovery or action
  • Verify required files and evidence exist before transitioning between phases

Example use cases

  • Full audit of https://myapp.example.com with progressive evidence collection
  • Resume an interrupted audit from Phase 3 (API Audit) using saved context
  • Skip specific phases (for example, skip auth audit) to tailor scope
  • Create a test user (with consent) to detect IDOR and cross-user access issues
  • Generate a final Markdown report with executive summary and remediation steps

FAQ

Yes. You must own the application or have explicit written authorization to perform security testing.

What happens if the audit process is interrupted?

All findings and logs are written incrementally to context and evidence files so the audit can be resumed from the last saved checkpoint.

Is Plan Mode required?

Plan Mode is recommended for complex audits for better traceability, but the audit can proceed without it if unavailable.

15 skills

supabase-pentest
Api

This skill orchestrates a comprehensive Supabase security audit, guiding phased testing and progressive evidence logging for reliable risk reporting.

AutomationDatabaseSecuritySupabase+1
supabase-extract-url
Api

This skill extracts the Supabase project URL from client-side code and config to enable rapid testing and targeted security auditing.

AutomationDebuggingDevopsSecurity+2
supabase-audit-buckets-list
Ai

This skill inventories all Supabase storage buckets and configurations, highlighting public exposure and RLS gaps to strengthen storage security.

ApiAutomationDatabaseSecurity+2
supabase-audit-buckets-public
Ai

This skill identifies publicly accessible storage buckets in Supabase and provides actionable remediation guidance to prevent data exposure.

AutomationCloudDatabaseDevops+2
supabase-audit-buckets-read
Cloud

This skill verifies storage bucket access by listing files, reading metadata, and downloading samples to validate permissions and RLS policies.

DataSecuritySupabaseTesting
supabase-audit-authenticated
Database

This skill creates a test authenticated user to audit access gaps versus anonymous users and detect IDOR, cross-user access, and privilege escalation.

SecuritySqlSupabaseTesting
supabase-audit-realtime
Api

This skill audits Supabase Realtime channels for unauthorized subscriptions and data exposure, logging findings progressively for secure channel configuration.

DatabaseSecuritySupabase
supabase-report
Api

This skill generates a comprehensive Supabase security audit report with executive summary, findings, and actionable remediation guidance for stakeholders.

AutomationDatabaseSecuritySupabase+1
supabase-extract-jwt
Api

This skill extracts and analyzes Supabase JWTs from client code and storage patterns to uncover exposure, risks, and misconfigurations.

AutomationDataDatabaseSecurity+2
supabase-extract-anon-key
Api

This skill extracts the Supabase anon key from client code to enable secure testing and RLS verification across projects.

AutomationSecuritySupabaseTesting
supabase-detect
Ai

This skill detects Supabase usage in a web app by analyzing domain patterns, client libraries, and API endpoints to determine project presence.

ApiAutomationBackendDatabase+3
supabase-evidence
Ai

This skill initializes and manages progressive evidence collection for professional security audits, ensuring immediate evidence saving and organized reporting.

AutomationDataDevopsSecurity+2
supabase-audit-functions
Api

This skill discovers and tests Supabase Edge Functions for security issues, reporting findings and actionable fixes to strengthen your project.

SecuritySupabaseTesting
supabase-extract-service-key
Api

This skill detects leaked service_role keys in client-side code during security audits, ensuring immediate remediation and safe Supabase usage.

BackendCloudSecuritySupabase
supabase-audit-auth-signup
Api

This skill tests signup open/blocked and detects abuse vectors in registration, providing actionable findings for Supabase authentication security.

AutomationBackendSecuritySupabase+1
More from this maintainer
Other repositories and skills published under the same GitHub owner.
Skills library
Jump back to the full directory or explore grouped topics.
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational