- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Audit Buckets List
supabase-audit-buckets-list_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-list- SKILL.md10.3 KB
Overview
This skill enumerates all Supabase storage buckets and reports their configuration so you can quickly identify the storage attack surface. It provides per-bucket details (public flag, size limits, allowed MIME types, estimated file counts) and a concise risk summary with remediation guidance. The skill is designed for integration in automated security audits and manual penetration tests.
How this skill works
The skill queries the Supabase Storage API to list buckets and inspects each bucket's configuration and metadata. It flags public buckets, unrestricted MIME settings, large size limits, and other indicators of misconfiguration. Results are returned as a structured inventory and a summary that highlights critical and priority issues, plus recommended SQL/RLS fixes.
When to use it
- Inventory storage before running read or upload tests
- As a preliminary step in a Supabase storage security audit
- To identify unexpectedly public or misconfigured buckets
- When validating changes to storage policies or deployment
- Before searching for sensitive files in public buckets
Best practices
- Record findings progressively: update context and logs after each bucket discovery
- Prioritize public buckets and those allowing */* MIME types for immediate review
- Treat unexpected public buckets as high/critical and remediate first
- Collect evidence (API requests, bucket configs, file lists) for reproducible reports
- Verify private buckets with a dedicated RLS test skill after enumeration
Example use cases
- Run a fast inventory to find any public backup or sensitive buckets
- Generate a report of bucket settings and recommended RLS SQL to hand to developers
- Automate storage enumeration as part of CI security checks for Supabase projects
- Combine with read-tests to confirm whether public buckets actually expose files
- Triage a production incident by quickly listing storage surfaces and risk levels
FAQ
An active Supabase URL and anon key are needed to call the storage list endpoint.
What if listing buckets is blocked?
If enumeration is restricted, note it as 'unable to enumerate' — restricted APIs are a positive control.
How are public buckets identified?
By the bucket 'public' flag and by checking public object URL patterns provided by the Storage API.