supabase-audit-auth-signup_skill

This skill tests signup open/blocked and detects abuse vectors in registration, providing actionable findings for Supabase authentication security.

27

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-auth-signup

  • SKILL.md13.4 KB

Overview

This skill tests whether user signup is open and identifies abuse vectors in the registration process for Supabase projects. It performs pragmatic checks like disposable email acceptance, password policy strength, rate limiting, and information leakage. Results are saved progressively to context and log files and structured evidence is written for each test.

How this skill works

The skill issues controlled signup requests to the Supabase auth endpoint and evaluates responses for acceptance, error messages, and rate limiting behavior. It classifies findings (e.g., open signup, disposable emails allowed, weak passwords accepted, email enumeration) and writes interim results to .sb-pentest-context.json and .sb-pentest-audit.log after each test. Final evidence files are emitted into .sb-pentest-evidence/05-auth-audit/signup-tests/ for later review.

When to use it

  • During an authentication security audit of a Supabase project
  • When verifying whether signup should be public or restricted
  • To check if disposable emails or weak passwords are accepted
  • To confirm rate limiting is active on registrations
  • Before deployment or when investigating account-creation abuse

Best practices

  • Write context and logs progressively: update context file and audit log immediately after each test
  • Collect structured evidence files for each test case under the evidence directory
  • Use generic response messages on signup to prevent email enumeration
  • Enforce email confirmation and stronger password requirements (min 8+, mixed classes)
  • Block or flag disposable email domains and apply server-side rate limits

Example use cases

  • Confirm whether the project allows anyone to register without invitation
  • Test if common disposable email providers can create accounts
  • Verify password policies by attempting common weak passwords
  • Measure how many signups succeed before a rate limit triggers
  • Detect if signup responses reveal whether an email already exists

FAQ

The skill creates JSON evidence files for open-signup, weak-password, disposable-email, and rate-limit tests under .sb-pentest-evidence/05-auth-audit/signup-tests/.

Do I need credentials to run the tests?

You need the Supabase URL and anon key to call the public auth endpoints; admin credentials are only required for invite-only remediation actions.

How are discoveries saved if the run is interrupted?

Findings and test logs are written progressively to .sb-pentest-context.json and .sb-pentest-audit.log after each test so partial results are preserved.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
supabase-audit-auth-signup skill by yoanbernabeu/supabase-pentest-skills | VeilStrat