supabase-audit-buckets-read_skill

This skill verifies storage bucket access by listing files, reading metadata, and downloading samples to validate permissions and RLS policies.

27

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-read

  • SKILL.md13.6 KB

Overview

This skill attempts to list and read files from Supabase storage buckets to verify access controls and detect exposed sensitive data. It performs non-destructive, read-only checks and produces structured findings and evidence for each bucket tested. The skill is optimized for progressive logging so results are preserved even if execution is interrupted.

How this skill works

The skill enumerates buckets (auto-invoking listing if needed), lists objects per bucket, reads object metadata, and downloads small sample contents when allowed to verify file types and detect secrets. It checks public URL access and flags sensitive files using filename patterns and lightweight content sampling. All findings, logs, and evidence files are written progressively during execution to ensure recoverable state.

When to use it

  • After discovering buckets to confirm actual file-level access
  • When testing storage RLS policies and anon key boundaries
  • To detect publicly exposed backups, secrets, or PII
  • When preparing a security audit or incident response
  • Before or after applying remediation to validate changes

Best practices

  • Run in read-only mode; avoid modifying or deleting objects
  • Write logs and context files immediately before/after each bucket test
  • Sample large buckets instead of full downloads to save time
  • Redact secrets in evidence samples and store evidence in a secured directory
  • Rotate any exposed credentials immediately and re-test access controls

Example use cases

  • Scan all buckets to find publicly accessible database dumps and secrets
  • Verify that private buckets return empty results for anon key requests
  • Produce evidence files and curl commands for reproduced findings
  • Confirm that RLS policies prevent object listing and downloads
  • Generate a prioritized list of buckets requiring immediate remediation

FAQ

No. It performs read-only operations: listing, metadata reads, and limited content sampling only.

What happens if the run is interrupted?

Findings and logs are written progressively to .sb-pentest-context.json and .sb-pentest-audit.log so prior results remain preserved.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational