- Home
- Skills
- Yoanbernabeu
- Supabase Pentest Skills
- Supabase Pentest
supabase-pentest_skill
27
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill yoanbernabeu/supabase-pentest-skills --skill supabase-pentest- SKILL.md14.8 KB
Overview
This skill orchestrates a complete Supabase security audit with guided, step-by-step execution and enforced ownership confirmation. It runs detection, credential extraction, API and storage audits, RLS and auth checks, realtime/functions testing, and generates a comprehensive report. The orchestrator enforces progressive evidence collection and checkpoint verification so findings are preserved even if the audit is interrupted.
How this skill works
The skill runs the audit as a sequence of phases: initialization, detection, key extraction, API audit, storage audit, auth audit, realtime/functions audit, and report generation. Each phase logs actions before and after execution, saves evidence files immediately, and updates a centralized context file so the audit state is always recoverable. When available, Plan Mode is recommended to build and approve a multi-phase plan before execution.
When to use it
- Perform a full security assessment of a Supabase-based application
- Run an internal or pre-production security review before deployment
- Audit an application after a suspected security incident
- Conduct recurring security reviews as part of compliance or risk management
- Resume or continue a previously interrupted Supabase audit
Best practices
- Confirm explicit written authorization to test the target before starting
- Use Plan Mode when supported to validate scope and get user approval
- Run audits during low-traffic windows to reduce impact on production
- Write context and evidence files incrementally — after every discovery or action
- Verify required files and evidence exist before transitioning between phases
Example use cases
- Full audit of https://myapp.example.com with progressive evidence collection
- Resume an interrupted audit from Phase 3 (API Audit) using saved context
- Skip specific phases (for example, skip auth audit) to tailor scope
- Create a test user (with consent) to detect IDOR and cross-user access issues
- Generate a final Markdown report with executive summary and remediation steps
FAQ
Yes. You must own the application or have explicit written authorization to perform security testing.
What happens if the audit process is interrupted?
All findings and logs are written incrementally to context and evidence files so the audit can be resumed from the last saved checkpoint.
Is Plan Mode required?
Plan Mode is recommended for complex audits for better traceability, but the audit can proceed without it if unavailable.