- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Audit Realtime
supabase-audit-realtime_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-realtime- SKILL.md14.1 KB
Overview
This skill tests Supabase Realtime WebSocket channels for unauthorized subscriptions and sensitive data exposure. It enumerates channels, attempts table streaming, broadcast subscriptions, and presence checks to identify RLS bypasses and open broadcast channels. Findings are saved progressively and packaged with evidence for remediation.
How this skill works
The skill connects to the Supabase Realtime WebSocket and enumerates common channel names and table change topics. For each subscription it logs the attempt, records events (INSERT/UPDATE/DELETE), and evaluates whether RLS or channel authorization prevents data streaming. Results and evidence files are written immediately after each test to preserve progress.
When to use it
- When Realtime is enabled on a Supabase project
- During security audits of apps using live updates or presence features
- To verify that RLS policies apply to realtime streams
- Before deploying features that broadcast user-sensitive data
- To detect open broadcast or presence channels exposing PII
Best practices
- Always enable and test Row Level Security for tables that contain PII
- Treat broadcast channels as potentially public unless explicitly restricted by channel policies
- Limit tracked presence fields to non-identifying values (timestamps, status)
- Write context and evidence files immediately after each channel test to avoid data loss
- Redact PII from stored evidence and include reproduction steps instead of raw user data
Example use cases
- Detecting that the users table streams full records over realtime despite RLS not being enforced
- Finding an admin or notifications broadcast channel that is publicly subscribable
- Verifying that orders or payments tables are protected and do not stream events to anon keys
- Auditing presence channels to ensure only minimal, non-PII data is tracked
- Generating progressive audit logs and per-channel evidence for a consolidated report
FAQ
You need the Supabase project URL and a valid anon key for initial connectivity; tests assume detection of project endpoints has already completed.
How are findings preserved if the audit is interrupted?
The skill writes a log entry before each subscription test and updates the context and evidence files immediately after each test so all prior findings are preserved even on crash.