- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Audit Functions
supabase-audit-functions_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-functions- SKILL.md16.0 KB
Overview
This skill discovers and tests Supabase Edge Functions for security vulnerabilities and misconfigurations. It performs automated discovery, authentication and authorization checks, input validation and error-handling tests, and produces progressive audit logs and context updates. Findings and evidence are saved incrementally so results persist if execution is interrupted. Outputs include per-function test artifacts and a consolidated findings summary.
How this skill works
The skill enumerates common function names and analyzes client code to locate Edge Function endpoints, then probes each endpoint for authentication requirements, authorization flaws (IDOR, missing role checks), input validation issues, and information disclosure. It writes logs to an audit log and updates a JSON context file immediately before and after each function test, and saves structured evidence files per function in an evidence directory. Final output aggregates counts, severity labels, example requests/curl commands, and concrete remediation snippets for each finding.
When to use it
- During a Supabase security assessment or penetration test
- When validating function authentication and authorization controls
- To discover exposed or public Edge Functions before production deployment
- When reviewing webhook handlers for signature and error-handling issues
- As part of regular application security hygiene and CI checks
Best practices
- Run discovery against the project URL and include client-side code analysis for higher coverage
- Log actions and update context files progressively — after starting and after completing each function test
- Capture structured evidence per function (discovered-functions.json and function-tests/*.json) to support remediation
- Treat public webhook endpoints differently: validate signatures, avoid revealing expected formats in responses
- Use typed validation (zod or similar) and explicit ownership/role checks in functions for remediation
Example use cases
- Audit all Edge Functions to create a prioritized vulnerability list with P0/P1 labels
- Test a specific function (e.g., process-payment) for auth, input validation, and error leakage
- Reproduce an IDOR by requesting another user's resource with a valid JWT and collect evidence JSON
- Verify admin-only endpoints enforce role checks and produce remediation code snippets
- Check webhook-handler endpoints for exposed signature formats and recommend safer error messages
FAQ
The skill writes discovered-functions.json, per-function test JSON files under function-tests/, and a consolidated .sb-pentest-context.json plus .sb-pentest-audit.log entries.
How does the skill avoid losing data on interruption?
It updates the audit log and context JSON progressively: before and after each function test and immediately when findings are discovered, ensuring partial results are preserved.