- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Audit Buckets Read
supabase-audit-buckets-read_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-read- SKILL.md13.6 KB
Overview
This skill attempts to list and read files from Supabase storage buckets to verify access controls and detect exposed sensitive data. It performs non-destructive, read-only checks and produces structured findings and evidence for each bucket tested. The skill is optimized for progressive logging so results are preserved even if execution is interrupted.
How this skill works
The skill enumerates buckets (auto-invoking listing if needed), lists objects per bucket, reads object metadata, and downloads small sample contents when allowed to verify file types and detect secrets. It checks public URL access and flags sensitive files using filename patterns and lightweight content sampling. All findings, logs, and evidence files are written progressively during execution to ensure recoverable state.
When to use it
- After discovering buckets to confirm actual file-level access
- When testing storage RLS policies and anon key boundaries
- To detect publicly exposed backups, secrets, or PII
- When preparing a security audit or incident response
- Before or after applying remediation to validate changes
Best practices
- Run in read-only mode; avoid modifying or deleting objects
- Write logs and context files immediately before/after each bucket test
- Sample large buckets instead of full downloads to save time
- Redact secrets in evidence samples and store evidence in a secured directory
- Rotate any exposed credentials immediately and re-test access controls
Example use cases
- Scan all buckets to find publicly accessible database dumps and secrets
- Verify that private buckets return empty results for anon key requests
- Produce evidence files and curl commands for reproduced findings
- Confirm that RLS policies prevent object listing and downloads
- Generate a prioritized list of buckets requiring immediate remediation
FAQ
No. It performs read-only operations: listing, metadata reads, and limited content sampling only.
What happens if the run is interrupted?
Findings and logs are written progressively to .sb-pentest-context.json and .sb-pentest-audit.log so prior results remain preserved.