- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Detect
supabase-detect_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-detect- SKILL.md9.9 KB
Overview
This skill detects whether a web application uses Supabase by analyzing client-side code, network patterns, and API endpoints. It performs automated checks across HTML, JavaScript bundles, network responses, and headers, then produces structured evidence and a confidence rating. The skill is designed as the first step in a Supabase-focused security audit and creates progressive context and audit logs as it runs.
How this skill works
The detector scans the target URL's HTML and JavaScript files for Supabase domain patterns and client library signatures (e.g., @supabase/supabase-js and createClient initialization). It probes characteristic API paths (/rest/v1/, /auth/v1/, /storage/v1/, /realtime/v1/, /functions/v1/) and inspects response headers for Supabase-specific identifiers. Findings are saved progressively to context and audit log files and bundled into an evidence directory for follow-up actions.
When to use it
- At the start of a security audit to confirm if Supabase is used
- Before running Supabase-specific audit steps like key extraction or RLS testing
- When triaging multiple targets to prioritize Supabase-related assessments
- To verify Supabase usage in single-page applications or lazy-loaded sites
- When investigating possible self-hosted or custom-domain Supabase setups
Best practices
- Run an interactive crawl or exercise the SPA to load lazy-loaded JS chunks before scanning
- Enable verbose mode to capture client initialization snippets and full endpoint lists
- Save findings progressively: write context and audit log entries immediately after each discovery
- Collect code excerpts and endpoint lists into an evidence directory for reproducibility
- Cross-check domain matches with observed endpoints to reduce false positives
Example use cases
- Quickly determine whether myapp.example.com relies on Supabase before deeper testing
- Scan a batch of customer URLs and flag those that expose Supabase endpoints
- Confirm a suspected Supabase project_ref found in obfuscated JS bundles
- Detect self-hosted Supabase by identifying PostgREST or GoTrue endpoint patterns
- Produce an evidence package (initial-scan.json, endpoints list, code snippets) for audit records
FAQ
High: multiple evidence types (domain + client + endpoints). Medium: a single strong indicator (explicit client init or project domain). Low: indirect or ambiguous patterns that may be false positives.
How does the skill handle single-page apps and lazy-loaded chunks?
The skill supports interactive crawling; exercising the app can load lazy bundles. If chunks still miss detection, provide known Supabase patterns or run a deeper JS bundle analysis.
What output and artifacts are produced?
Progressive context (.sb-pentest-context.json), audit log entries (.sb-pentest-audit.log), and an evidence directory with initial-scan.json, supabase-endpoints.txt, and client code snippets for reproducibility.