supabase-extract-service-key_skill

This skill detects leaked service_role keys in client-side code during security audits, ensuring immediate remediation and safe Supabase usage.

27

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill yoanbernabeu/supabase-pentest-skills --skill supabase-extract-service-key

  • SKILL.md11.7 KB

Overview

This skill detects whether a Supabase service_role (admin) key is leaked in client-side code and flags it as a P0 (critical) finding. It focuses on identifying JWTs or environment variables exposing a role of "service_role", unsafe variable names, and exposed source maps that may reveal secrets. The skill produces actionable evidence, remediation steps, and must record findings progressively during the scan.

How this skill works

The skill inspects HTML, JavaScript bundles, inline scripts, and exposed source maps for patterns matching service_role JWTs and common service-key variable names. It decodes any discovered JWT payload to confirm the role claim and captures file path, line number, and redacted code snippets as evidence. When a leak is found the skill outputs a P0 finding with immediate remediation, creates evidence files, and updates audit/context logs incrementally.

When to use it

  • As part of every Supabase security audit (mandatory critical check)
  • Before production deployment or public releases
  • After detecting Supabase usage on a target app or domain
  • When reviewing build or CI configurations for environment variable leaks
  • If source maps are publicly accessible and may contain secrets

Best practices

  • Treat any client-side service_role key as an immediate P0 incident and rotate the key immediately
  • Write findings and audit logs progressively as discoveries are made to avoid data loss
  • Disable or remove source maps in production builds to prevent revealing source and secrets
  • Use NEXT_PUBLIC_ only for anon keys; never expose service_role in client env vars
  • Move privileged operations to server-side code or Edge Functions and restrict service keys to server environments

Example use cases

  • Scan a public web app to verify no service_role key appears in JS bundles or inline scripts
  • Deep-scan deployed assets and associated .map files to find keys leaked through source maps
  • Validate a pre-deploy build to ensure environment variables were not bundled into client code
  • After discovering a Supabase project ref, extract keys and produce P0 evidence for incident response
  • Generate remediation advice and a timeline entry for an emergency security report

FAQ

The service_role key bypasses all Row Level Security and grants full read/write access to the database and storage, enabling user impersonation and total data compromise.

What immediate actions should be taken if a service_role key is found?

Rotate the service_role key in the Supabase dashboard, remove the key from client code, audit logs for abuse, and move privileged operations to server-side or Edge Functions.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational