supabase-extract-url_skill

This skill extracts the Supabase project URL from client-side code and config to enable rapid testing and targeted security auditing.

27

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-extract-url

  • SKILL.md8.7 KB

Overview

This skill extracts the Supabase project URL from client-side JavaScript, environment variables, HTML, and configuration files. It discovers project references, infers endpoints, validates reachability, and records findings for follow-up auditing. The skill persistently logs progress and saves context and evidence as discoveries occur.

How this skill works

The skill scans served pages and provided local source directories for URL patterns, environment variable names, meta tags, and createClient calls. When it finds candidate URLs it validates format, attempts a reachable REST/auth check, and infers common Supabase endpoints. Each discovery is immediately recorded to context and audit logs and an evidence file is created for later review.

When to use it

  • After detecting or suspecting Supabase usage in a web app
  • Before running API or key extraction skills to obtain the project base URL
  • When you need to identify the Supabase project reference and region
  • When preparing a targeted RLS, storage, or auth audit

Best practices

  • Run a shallow scan first, then a deep scan to catch dynamically loaded chunks
  • Log progress and save context progressively to avoid data loss on interruption
  • Validate discovered URLs via the REST/auth endpoints to reduce false positives
  • Prioritize the most-referenced URL when multiple projects are found and record alternatives
  • Record exact source locations (file, line, snippet) for reproducible evidence

Example use cases

  • Extract the Supabase URL from a deployed single-page application to begin API testing
  • Scan a downloaded build directory (./dist, ./build) to locate embedded SUPABASE_URL constants
  • Detect and record multiple Supabase URLs when analytics or third-party scripts reference different projects
  • Infer REST, Auth, Storage, Realtime, and Functions endpoints for follow-up validation and exploitation testing

FAQ

Standard project refs (https://<ref>.supabase.co), regional variants (https://<ref>.<region>.supabase.co), and custom domains mapped to Supabase are recognized and handled.

Does finding the URL give access to the project?

No. The URL identifies the project endpoints but does not include keys. Further key extraction steps are required to interact with protected APIs.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
supabase-extract-url skill by yoanbernabeu/supabase-pentest-skills | VeilStrat