supabase-pentest_skill

This skill orchestrates a comprehensive Supabase security audit, guiding phased testing and progressive evidence logging for reliable risk reporting.

27

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-pentest

  • SKILL.md14.8 KB

Overview

This skill orchestrates a complete Supabase security audit with guided, step-by-step execution and enforced ownership confirmation. It runs detection, credential extraction, API and storage audits, RLS and auth checks, realtime/functions testing, and generates a comprehensive report. The orchestrator enforces progressive evidence collection and checkpoint verification so findings are preserved even if the audit is interrupted.

How this skill works

The skill runs the audit as a sequence of phases: initialization, detection, key extraction, API audit, storage audit, auth audit, realtime/functions audit, and report generation. Each phase logs actions before and after execution, saves evidence files immediately, and updates a centralized context file so the audit state is always recoverable. When available, Plan Mode is recommended to build and approve a multi-phase plan before execution.

When to use it

  • Perform a full security assessment of a Supabase-based application
  • Run an internal or pre-production security review before deployment
  • Audit an application after a suspected security incident
  • Conduct recurring security reviews as part of compliance or risk management
  • Resume or continue a previously interrupted Supabase audit

Best practices

  • Confirm explicit written authorization to test the target before starting
  • Use Plan Mode when supported to validate scope and get user approval
  • Run audits during low-traffic windows to reduce impact on production
  • Write context and evidence files incrementally — after every discovery or action
  • Verify required files and evidence exist before transitioning between phases

Example use cases

  • Full audit of https://myapp.example.com with progressive evidence collection
  • Resume an interrupted audit from Phase 3 (API Audit) using saved context
  • Skip specific phases (for example, skip auth audit) to tailor scope
  • Create a test user (with consent) to detect IDOR and cross-user access issues
  • Generate a final Markdown report with executive summary and remediation steps

FAQ

Yes. You must own the application or have explicit written authorization to perform security testing.

What happens if the audit process is interrupted?

All findings and logs are written incrementally to context and evidence files so the audit can be resumed from the last saved checkpoint.

Is Plan Mode required?

Plan Mode is recommended for complex audits for better traceability, but the audit can proceed without it if unavailable.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
supabase-pentest skill by yoanbernabeu/supabase-pentest-skills | VeilStrat