supabase-audit-realtime_skill

This skill audits Supabase Realtime channels for unauthorized subscriptions and data exposure, logging findings progressively for secure channel configuration.

27

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-audit-realtime

  • SKILL.md14.1 KB

Overview

This skill tests Supabase Realtime WebSocket channels for unauthorized subscriptions and sensitive data exposure. It enumerates channels, attempts table streaming, broadcast subscriptions, and presence checks to identify RLS bypasses and open broadcast channels. Findings are saved progressively and packaged with evidence for remediation.

How this skill works

The skill connects to the Supabase Realtime WebSocket and enumerates common channel names and table change topics. For each subscription it logs the attempt, records events (INSERT/UPDATE/DELETE), and evaluates whether RLS or channel authorization prevents data streaming. Results and evidence files are written immediately after each test to preserve progress.

When to use it

  • When Realtime is enabled on a Supabase project
  • During security audits of apps using live updates or presence features
  • To verify that RLS policies apply to realtime streams
  • Before deploying features that broadcast user-sensitive data
  • To detect open broadcast or presence channels exposing PII

Best practices

  • Always enable and test Row Level Security for tables that contain PII
  • Treat broadcast channels as potentially public unless explicitly restricted by channel policies
  • Limit tracked presence fields to non-identifying values (timestamps, status)
  • Write context and evidence files immediately after each channel test to avoid data loss
  • Redact PII from stored evidence and include reproduction steps instead of raw user data

Example use cases

  • Detecting that the users table streams full records over realtime despite RLS not being enforced
  • Finding an admin or notifications broadcast channel that is publicly subscribable
  • Verifying that orders or payments tables are protected and do not stream events to anon keys
  • Auditing presence channels to ensure only minimal, non-PII data is tracked
  • Generating progressive audit logs and per-channel evidence for a consolidated report

FAQ

You need the Supabase project URL and a valid anon key for initial connectivity; tests assume detection of project endpoints has already completed.

How are findings preserved if the audit is interrupted?

The skill writes a log entry before each subscription test and updates the context and evidence files immediately after each test so all prior findings are preserved even on crash.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
supabase-audit-realtime skill by yoanbernabeu/supabase-pentest-skills | VeilStrat