- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Evidence
supabase-evidence_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-evidence- SKILL.md11.5 KB
Overview
This skill initializes and manages a progressive evidence collection directory for professional Supabase security audits. It ensures every request, response, command, and analysis is saved immediately during the audit to preserve reproducibility and legal proof. The structure, naming, and redaction rules are enforced so evidence is consistent and safe for reporting.
How this skill works
On start it creates a standardized .sb-pentest-evidence/ tree and placeholders for each test category. During the audit it writes evidence files incrementally: request placeholders before tests, request/response pairs immediately after each interaction, and analysis entries once a finding is evaluated. It also appends reproducible curl commands, updates a chronological timeline, and maintains a context file summarizing evidence counts and critical items.
When to use it
- Automatically at the start of a supabase-pentest run
- When you need auditable, reproducible proof of findings
- For compliance, legal, or remediation verification purposes
- While running any Supabase audit sub-skill that produces API/storage/auth evidence
- When building a report that must reference primary evidence files
Best practices
- Always save evidence progressively — create placeholders before tests and write results immediately after
- Use the provided directory structure and naming conventions for consistent indexing
- Redact sensitive values per rules: mask PII and only show key prefixes/suffixes
- Collect raw API responses, curl commands, timestamps, and analysis for each test
- Append a short timeline entry for every significant finding to maintain chronological context
Example use cases
- Start-of-audit initialization for a full Supabase pentest to collect reproducible artifacts
- Capturing a P0 service-key exposure with full request/response and decoded payload saved immediately
- Recording RLS test attempts: save anon vs. authenticated responses and analysis per test
- Collecting storage bucket listings and direct URL access tests with sample redacted file contents
- Generating curl-commands.sh entries while performing API enumeration so investigators can reproduce steps
FAQ
Because evidence is saved progressively, previous files remain intact; resume by continuing to append new evidence and update timeline and context files.
How should sensitive data be stored in evidence files?
Redact personal data and secrets: mask PII, never store full passwords or API keys (show only first/last 4 chars), and mark redacted fields clearly in evidence JSON.