Professional AI-assisted security auditing toolkit with 24 skills for detecting, extracting, testing, and reporting Supabase vulnerabilities (RLS, IDOR, storage, auth, API).
---
name: supabase-pentest-skills
description: Professional AI-assisted security auditing toolkit with 24 skills for detecting, extracting, testing, and reporting Supabase vulnerabilities (RLS, IDOR, storage, auth, API).
triggers:
- audit my supabase application for security issues
- run a security pentest on this supabase project
- check for supabase vulnerabilities and exposed keys
- test row level security policies on my supabase app
- detect if this website uses supabase and extract credentials
- generate a security report for my supabase application
- check for IDOR vulnerabilities in my supabase auth
- scan for misconfigured storage buckets in supabase
---
# Supabase Pentest Skills
> Skill by [ara.so](https://ara.so) — Security Skills collection.
A comprehensive toolkit of 24 AI agent skills for professional security auditing of Supabase applications. Automates detection, credential extraction, Row Level Security (RLS) testing, IDOR detection, storage audits, authentication analysis, and comprehensive reporting.
## What This Project Does
Supabase Pentest Skills is a modular security auditing framework designed for **internal self-assessment** by authorized development teams. It provides:
- **Detection**: Identify Supabase usage from public URLs
- **Extraction**: Discover exposed API keys, JWTs, service keys, and database connection strings
- **API Audit**: Test PostgREST endpoints, RLS policies, and RPC functions
- **Storage Audit**: Identify misconfigured buckets and unauthorized file access
- **Auth Audit**: Test authentication flows, user enumeration, and IDOR vulnerabilities
- **Evidence Collection**: Professional-grade logging and proof-of-concept documentation
- **Reporting**: Generate detailed Markdown reports with severity ratings and remediation guidance
**Important**: These skills are for authorized testing only. You must own or have explicit permission to audit the target application.
## Installation
### Quick Install (All 24 Skills)
```bash
npx skills add yoanbernabeu/supabase-pentest-skills
```
### Install Specific Skill Packs
```bash
# Detection only
npx skills add yoanbernabeu/supabase-pentest-skills --skill supabase-detect
# Key extraction (5 skills)
npx skills add yoanbernabeu/supabase-pentest-skills --pack supabase-extraction
# API audit (4 skills)
npx skills add yoanbernabeu/supabase-pentest-skills --pack supabase-audit-api
# Storage audit (3 skills)
npx skills add yoanbernabeu/supabase-pentest-skills --pack supabase-audit-storage
# Auth + IDOR testing (4 skills)
npx skills add yoanbernabeu/supabase-pentest-skills --pack supabase-audit-auth
# Global install (all projects)
npx skills add yoanbernabeu/supabase-pentest-skills -g
```
### List Available Skills
```bash
npx skills add yoanbernabeu/supabase-pentest-skills --list
```
## Recommended Professional Setup
For complete audit trail and evidence collection:
```bash
# 1. Create audit directory
mkdir my-security-audit
cd my-security-audit
# 2. Install skills
npx skills add yoanbernabeu/supabase-pentest-skills
# 3. Download agent configuration template
curl -o CLAUDE.md https://raw.githubusercontent.com/yoanbernabeu/supabase-pentest-skills/main/templates/CLAUDE.md
# 4. Launch your AI agent and run
# /supabase-pentest
```
## Core Skills Reference
### Orchestration & Evidence
| Skill | Purpose |
|-------|---------|
| `supabase-pentest` | Main orchestrator — guided step-by-step audit |
| `supabase-evidence` | Initialize professional evidence collection |
| `supabase-help` | Quick reference guide |
### Detection & Extraction
| Skill | Purpose |
|-------|---------|
| `supabase-detect` | Detect Supabase usage from HTML/JS |
| `supabase-extract-url` | Extract project URL |
| `supabase-extract-anon-key` | Extract anon/public API key |
| `supabase-extract-service-key` | **Critical**: Detect leaked service_role key |
| `supabase-extract-jwt` | Extract and decode JWTs |
| `supabase-extract-db-string` | Detect exposed database connection strings |
### API & RLS Testing
| Skill | Purpose |
|-------|---------|
| `supabase-audit-tables-list` | List exposed PostgREST tables |
| `supabase-audit-tables-read` | Attempt data reads |
| `supabase-audit-rls` | Test Row Level Security policies |
| `supabase-audit-rpc` | Test exposed RPC functions |
### Storage & Auth
| Skill | Purpose |
|-------|---------|
| `supabase-audit-buckets-list` | List storage buckets |
| `supabase-audit-buckets-read` | Test file access |
| `supabase-audit-buckets-public` | Detect public bucket misconfigurations |
| `supabase-audit-auth-config` | Analyze auth configuration |
| `supabase-audit-auth-signup` | Test open signup |
| `supabase-audit-auth-users` | Test user enumeration |
| `supabase-audit-authenticated` | **Create test user to detect IDOR** |
### Realtime, Functions & Reporting
| Skill | Purpose |
|-------|---------|
| `supabase-audit-realtime` | Test Realtime channels |
| `supabase-audit-functions` | Test Edge Functions |
| `supabase-report` | Generate comprehensive report |
| `supabase-report-compare` | Compare two audit reports |
## Usage Patterns
### Pattern 1: Full Guided Audit
```
I need a complete security audit of https://myapp.example.com
IMPORTANT:
1. Initialize supabase-evidence first
2. Execute ALL 24 skills systematically
3. Log every action
4. Save all evidence
5. Generate final report
I confirm I am authorized to test this application.
```
The orchestrator will:
1. Initialize evidence collection
2. Run detection and extraction
3. Execute all API, storage, auth audits
4. Generate comprehensive report with severity ratings
### Pattern 2: Targeted Extraction
```
Extract all Supabase credentials from https://example.com
```
This will run:
- `supabase-detect`
- `supabase-extract-url`
- `supabase-extract-anon-key`
- `supabase-extract-service-key` (critical check)
- `supabase-extract-jwt`
- `supabase-extract-db-string`
### Pattern 3: RLS Policy Testing
```
Test Row Level Security policies on my Supabase app at https://example.com
```
This will:
1. Extract credentials
2. List tables (`supabase-audit-tables-list`)
3. Attempt unauthorized reads (`supabase-audit-tables-read`)
4. Test RLS bypass scenarios (`supabase-audit-rls`)
### Pattern 4: IDOR Detection
```
Check for IDOR vulnerabilities in auth on https://example.com
```
This executes `supabase-audit-authenticated`, which:
1. Creates a test user
2. Attempts cross-user data access
3. Tests privilege escalation
4. Documents findings with proof-of-concept
### Pattern 5: Storage Security Audit
```
Audit storage bucket security for my Supabase application
```
Runs:
- `supabase-audit-buckets-list`
- `supabase-audit-buckets-read`
- `supabase-audit-buckets-public`
### Pattern 6: Compare Progress
```
Compare my latest audit with the report from last month
```
Uses `supabase-report-compare` to show:
- New vulnerabilities discovered
- Issues resolved
- Security score changes
## Context & Evidence Files
All skills share state through files:
### `.sb-pentest-context.json`
```json
{
"target_url": "https://myapp.example.com",
"supabase_url": "https://abc123.supabase.co",
"anon_key": "eyJhbGc...",
"service_key_leaked": false,
"findings": {
"p0": ["Service role key exposed in /static/js/main.js"],
"p1": ["RLS policy missing on 'users' table"],
"p2": ["Verbose error messages expose table structure"]
},
"tables_exposed": ["users", "posts", "comments"],
"buckets_public": ["avatars"],
"test_user": {
"email": "pentest_user_1738329847@example.com",
"password": "RANDOM_SECURE_PASSWORD"
}
}
```
### `.sb-pentest-audit.log`
```
[2025-01-31T10:45:23Z] supabase-detect - Started detection on https://myapp.example.com
[2025-01-31T10:45:25Z] supabase-detect - Found Supabase URL: https://abc123.supabase.co
[2025-01-31T10:45:30Z] supabase-extract-anon-key - Extracted anon key from /static/js/app.js
[2025-01-31T10:45:35Z] supabase-audit-tables-list - Found 12 exposed tables
[2025-01-31T10:45:40Z] supabase-audit-rls - P0: 'users' table has no RLS policy
```
### `.sb-pentest-evidence/` Directory Structure
```
.sb-pentest-evidence/
├── README.md # Evidence index
├── curl-commands.sh # Reproducible API calls
├── timeline.md # Chronological findings
├── 01-detection/
│ └── supabase-detected.md
├── 02-extraction/
│ ├── url-extracted.md
│ ├── anon-key-extracted.md
│ └── service-key-LEAKED.md # P0 finding
├── 03-api-audit/
│ ├── tables-list.json
│ ├── rls-bypass-users.md # P0 finding
│ └── rpc-functions.json
├── 04-storage-audit/
│ └── public-bucket-avatars.md # P1 finding
└── 05-auth-audit/
├── test-user-created.md
└── idor-detected-users.md # P0 finding
```
### `curl-commands.sh` (Reproducible Tests)
```bash
#!/bin/bash
# Generated by supabase-pentest-skills
# All API calls made during audit
# List tables (unauthenticated)
curl -X GET 'https://abc123.supabase.co/rest/v1/' \
-H "apikey: eyJhbGc..." \
-H "Authorization: Bearer eyJhbGc..."
# Attempt to read users table (RLS bypass test)
curl -X GET 'https://abc123.supabase.co/rest/v1/users?select=*' \
-H "apikey: eyJhbGc..." \
-H "Authorization: Bearer eyJhbGc..."
# Test public bucket access
curl -X GET 'https://abc123.supabase.co/storage/v1/object/public/avatars/user-123.jpg'
# IDOR test: User A accessing User B's data
curl -X GET 'https://abc123.supabase.co/rest/v1/profiles?user_id=eq.OTHER_USER_ID' \
-H "apikey: eyJhbGc..." \
-H "Authorization: Bearer USER_A_JWT"
```
## Report Format
### Example Output (`supabase-audit-report.md`)
```markdown
# Supabase Security Audit Report
**Target**: https://myapp.example.com
**Supabase Project**: https://abc123.supabase.co
**Date**: 2025-01-31
**Auditor**: AI Agent (supabase-pentest-skills)
---
## Executive Summary
**Security Score**: 45/100 (Grade: D)
- **2 P0 (Critical)** issues found
- **3 P1 (High)** issues found
- **5 P2 (Medium)** issues found
**Risk Level**: HIGH — Immediate action required
### Key Risks
1. Service role key exposed in client code (full DB access)
2. Row Level Security disabled on `users` table
3. IDOR vulnerability allows cross-user data access
---
## Critical Findings (P0)
### 1. Service Role Key Exposed in Client Code
**Severity**: P0 - Critical
**Location**: `/static/js/main.js:1247`
**Impact**: Full database access bypassing all RLS policies
**Evidence**:
```javascript
const supabase = createClient(
'https://abc123.supabase.co',
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIn0...'
// ^ This is a service_role key!
)
```
**Remediation**:
1. Rotate the service_role key immediately in Supabase Dashboard > Settings > API
2. Remove from client code
3. Use anon key in client, service key ONLY in secure backend/Edge Functions
**References**:
- [Supabase Security Best Practices](https://supabase.com/docs/guides/auth/managing-user-data#security-considerations)
- [API Keys Documentation](https://supabase.com/docs/guides/api/api-keys)
---
### 2. Row Level Security Disabled on `users` Table
**Severity**: P0 - Critical
**Impact**: All user data readable/writable by anyone with anon key
**Test Result**:
```bash
curl 'https://abc123.supabase.co/rest/v1/users?select=*' \
-H "apikey: ANON_KEY" \
# Returns ALL users including emails, phone numbers, metadata
```
**Remediation**:
```sql
-- Enable RLS
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
-- Policy: Users can only read their own data
CREATE POLICY "Users can view own data"
ON users FOR SELECT
USING (auth.uid() = id);
-- Policy: Users can update their own data
CREATE POLICY "Users can update own data"
ON users FOR UPDATE
USING (auth.uid() = id);
```
---
## High Priority Findings (P1)
### 1. Public Storage Bucket Misconfiguration
**Severity**: P1 - High
**Bucket**: `avatars`
**Impact**: All uploaded avatars accessible without authentication
**Test**:
```bash
curl 'https://abc123.supabase.co/storage/v1/object/public/avatars/user-456/avatar.jpg'
# Returns file without auth
```
**Remediation**:
- Make bucket private if files should be protected
- Use signed URLs for temporary access
- Implement storage policies:
```sql
CREATE POLICY "Avatar access policy"
ON storage.objects FOR SELECT
USING (
bucket_id = 'avatars' AND
(storage.foldername(name))[1] = auth.uid()::text
);
```
---
## Medium Priority Findings (P2)
### 1. Verbose Error Messages Expose Schema
**Severity**: P2 - Medium
**Impact**: Attackers can enumerate table structure
**Example**:
```
POST /rest/v1/users
Response: "column 'internal_admin_flag' does not exist"
```
**Remediation**: Configure PostgREST to return generic errors in production
---
## Remediation Checklist
- [ ] **URGENT**: Rotate service_role key
- [ ] **URGENT**: Enable RLS on all tables
- [ ] **URGENT**: Fix IDOR vulnerability in profiles API
- [ ] Make `avatars` bucket private or add RLS
- [ ] Disable open signup or add email verification
- [ ] Review all RPC function permissions
- [ ] Implement rate limiting on auth endpoints
- [ ] Configure generic error messages for production
- [ ] Add monitoring for suspicious API access patterns
- [ ] Schedule monthly security audits
---
## Next Steps
1. Address all P0 issues immediately
2. Re-run audit with: `/supabase-pentest` after fixes
3. Compare reports: `supabase-report-compare old-report.md new-report.md`
4. Establish continuous security testing in CI/CD
---
**Generated by**: supabase-pentest-skills v1.0
**Evidence**: See `.sb-pentest-evidence/` directory
**Reproducible Tests**: `.sb-pentest-evidence/curl-commands.sh`
```
## Configuration
### Environment Variables
Skills use context files instead of environment variables. However, you can configure:
```bash
# Target URL (overrides prompt)
export SUPABASE_PENTEST_TARGET="https://myapp.example.com"
# Skip confirmation prompts (CI/CD)
export SUPABASE_PENTEST_AUTO_CONFIRM="true"
# Custom evidence directory
export SUPABASE_PENTEST_EVIDENCE_DIR="./security-audit-evidence"
```
### CLAUDE.md Template Configuration
The recommended template enforces:
```markdown
# Audit Execution Rules
1. **ALWAYS use Plan Mode** (`EnterPlanMode`) before starting
2. **Initialize evidence collection** with `supabase-evidence` FIRST
3. **Execute ALL 24 skills systematically** — NO EXCEPTIONS
4. **After EACH skill**:
- Update `.sb-pentest-context.json`
- Append to `.sb-pentest-audit.log`
- Save evidence to `.sb-pentest-evidence/`
- Update `timeline.md` for P0/P1/P2 findings
5. **NEVER skip phases** without explicit user confirmation
6. **Generate final report** with `supabase-report`
```
## Troubleshooting
### Issue: "Supabase not detected"
**Cause**: Target site doesn't use Supabase or keys are dynamically loaded
**Solution**:
```
Check the page source manually at https://example.com and look for:
- Strings containing 'supabase.co'
- Variables like 'SUPABASE_URL' or 'supabaseUrl'
- Network requests to '*.supabase.co'
```
### Issue: "Rate limited by Supabase API"
**Cause**: Too many requests in short time
**Solution**: Skills automatically slow down when detecting rate limits. If persistent:
```
Wait 5 minutes before retrying the audit
```
### Issue: "No tables found"
**Cause**: Either no tables exposed or API key invalid
**Solution**:
```
Verify the extracted anon key is correct:
1. Check .sb-pentest-context.json
2. Test manually:
curl 'https://YOUR_PROJECT.supabase.co/rest/v1/' \
-H "apikey: YOUR_ANON_KEY"
```
### Issue: "Context file missing"
**Cause**: Skills executed out of order
**Solution**:
```
Always start with the orchestrator:
/supabase-pentest
Or run detection first:
supabase-detect on https://example.com
```
### Issue: "Test user creation failed"
**Cause**: Signup disabled or email verification required
**Solution**:
```
Check auth settings:
1. Supabase Dashboard > Authentication > Providers
2. Look for "Enable email confirmations"
The skill will note this as a security finding (positive or negative depending on your requirements).
```
## Real-World Example Workflow
```bash
# 1. Set up audit directory
mkdir myapp-security-audit-2025-01-31
cd myapp-security-audit-2025-01-31
# 2. Install skills
npx skills add yoanbernabeu/supabase-pentest-skills
# 3. Download template
curl -o CLAUDE.md https://raw.githubusercontent.com/yoanbernabeu/supabase-pentest-skills/main/templates/CLAUDE.md
# 4. Launch AI agent (e.g., Claude Code) and run:
```
**Prompt to AI agent**:
```
Run a complete Supabase security audit on https://production.myapp.com
CRITICAL REQUIREMENTS:
1. Use Plan Mode (EnterPlanMode) before starting
2. Initialize supabase-evidence FIRST
3. Execute ALL 24 skills in order
4. Log every action to .sb-pentest-audit.log
5. Save all evidence to .sb-pentest-evidence/
6. Generate comprehensive report
I confirm I am the owner and authorized to test this application.
```
**Expected Output**:
```
✅ Evidence collection initialized
✅ Supabase detected: https://xyz789.supabase.co
✅ Extracted anon key: eyJhbGc...
⚠️ P1: Service key NOT found (good)
✅ Found 8 exposed tables
⚠️ P0: RLS disabled on 'profiles' table
⚠️ P0: IDOR vulnerability - User A can read User B's data
✅ Storage: 3 buckets found
⚠️ P1: Bucket 'user-uploads' is public
✅ Auth: Signup requires email confirmation (secure)
✅ Report generated: supabase-audit-report.md
Security Score: 62/100 (Grade: D)
3 P0 issues, 2 P1 issues, 4 P2 issues
```
## Integration with CI/CD
### GitHub Actions Example
```yaml
name: Monthly Security Audit
on:
schedule:
- cron: '0 0 1 * *' # First day of month
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Supabase Pentest Skills
run: npx skills add yoanbernabeu/supabase-pentest-skills -y
- name: Run Security Audit
run: |
# Use AI agent CLI (example with Claude Code CLI)
claude-code run "
Run complete Supabase audit on ${{ vars.PRODUCTION_URL }}
Auto-confirm all steps.
Save report to ./audit-report.md
"
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: security-audit-report
path: |
audit-report.md
.sb-pentest-evidence/
- name: Check for Critical Issues
run: |
if grep -q "P0" audit-report.md; then
echo "::error::Critical security issues found!"
exit 1
fi
```
## Security Best Practices
1. **Never commit context files to version control**:
```bash
echo ".sb-pentest-context.json" >> .gitignore
echo ".sb-pentest-audit.log" >> .gitignore
echo ".sb-pentest-evidence/" >> .gitignore
```
2. **Always run in isolated audit directories**
3. **Delete test users after audit**:
```
After completing the audit, delete the test user from Supabase Dashboard > Authentication > Users
```
4. **Rotate keys if service_role leaked**:
```
If P0 finding "service_role key exposed":
1. Go to Supabase Dashboard > Settings > API
2. Click "Rotate" on service_role key
3. Update all backend services immediately
```
5. **Share reports securely** (not via public links)
## Advanced Usage
### Custom Severity Thresholds
Edit findings in `.sb-pentest-context.json`:
```json
{
"custom_severity_rules": {
"public_buckets": "P1", // Default is P2
"missing_rls": "P0", // Default is P0
"open_signup": "P2" // Default is P1
}
}
```
### Exclude Specific Tests
```
Run Supabase audit but skip auth testing (we have SSO integration)
```
The orchestrator will skip auth-related skills if you specify exclusions.
### Multi-Environment Testing
```bash
# Staging
mkdir staging-audit
cd staging-audit
# Run audit on https://staging.myapp.com
# Production
mkdir production-audit
cd production-audit
# Run audit on https://myapp.com
# Compare
supabase-report-compare ../staging-audit/report.md ./report.md
```
## Legal & Ethical Considerations
✅ **Authorized Use**:
- Internal security assessment by development teams
- Pre-deployment vulnerability scanning
- Compliance audits with proper authorization
❌ **Unauthorized Use**:
- Testing applications you don't own
- Testing without explicit written permission
- Using findings for malicious purposes
**Disclaimer**: This toolkit is provided for authorized security testing only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing.
## Additional Resources
- [Supabase Security Documentation](https://supabase.com/docs/guides/auth/row-level-security)
- [PostgREST Security Best Practices](https://postgrest.org/en/stable/auth.html)
- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/)
- [Project Repository](https://github.com/yoanbernabeu/supabase-pentest-skills)
Creator's repository · aradotso/security-skills