playbooks

home / skills / yoanbernabeu / supabase-pentest-skills / supabase-help

supabase-help skill

/skills/orchestration/supabase-help

This skill provides a concise reference for all Supabase security audit tasks, guiding usage and examples to speed up assessments.

npx playbooks add skill yoanbernabeu/supabase-pentest-skills --skill supabase-help

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
5.7 KB
---
name: supabase-help
description: Quick reference for all Supabase security audit skills with usage examples and command overview.
---

# Supabase Pentest Skills Help

Quick reference for all 24 security audit skills.

## When to Use This Skill

- Need a quick overview of available skills
- Looking for the right skill for a specific task
- Want usage examples for a particular skill

## Quick Start

```bash
# Full guided audit
/supabase-pentest https://myapp.example.com

# Check if app uses Supabase
/supabase-detect https://myapp.example.com

# Generate report from previous audit
/supabase-report
```

## All Skills Reference

### Orchestration

| Skill | Command | Purpose |
|-------|---------|---------|
| `supabase-pentest` | `/supabase-pentest <url>` | Full guided security audit |
| `supabase-evidence` | `/supabase-evidence` | Initialize evidence collection |
| `supabase-help` | `/supabase-help` | This help reference |

### Detection

| Skill | Command | Purpose |
|-------|---------|---------|
| `supabase-detect` | `/supabase-detect <url>` | Detect Supabase usage |

### Extraction

| Skill | Command | Purpose |
|-------|---------|---------|
| `supabase-extract-url` | `/supabase-extract-url <url>` | Find Supabase project URL |
| `supabase-extract-anon-key` | `/supabase-extract-anon-key` | Extract anon API key |
| `supabase-extract-service-key` | `/supabase-extract-service-key` | Find leaked service key |
| `supabase-extract-jwt` | `/supabase-extract-jwt` | Extract JWTs from code |
| `supabase-extract-db-string` | `/supabase-extract-db-string` | Find DB connection strings |

### API Audit

| Skill | Command | Purpose |
|-------|---------|---------|
| `supabase-audit-tables-list` | `/supabase-audit-tables-list` | List exposed tables |
| `supabase-audit-tables-read` | `/supabase-audit-tables-read` | Read table data |
| `supabase-audit-rls` | `/supabase-audit-rls` | Test RLS policies |
| `supabase-audit-rpc` | `/supabase-audit-rpc` | Test RPC functions |

### Storage Audit

| Skill | Command | Purpose |
|-------|---------|---------|
| `supabase-audit-buckets-list` | `/supabase-audit-buckets-list` | List storage buckets |
| `supabase-audit-buckets-read` | `/supabase-audit-buckets-read` | Read bucket files |
| `supabase-audit-buckets-public` | `/supabase-audit-buckets-public` | Find public buckets |

### Auth Audit

| Skill | Command | Purpose |
|-------|---------|---------|
| `supabase-audit-auth-config` | `/supabase-audit-auth-config` | Check auth settings |
| `supabase-audit-auth-signup` | `/supabase-audit-auth-signup` | Test signup access |
| `supabase-audit-auth-users` | `/supabase-audit-auth-users` | Test user enumeration |
| `supabase-audit-authenticated` | `/supabase-audit-authenticated` | **Create test user to detect IDOR** |

### Realtime & Functions

| Skill | Command | Purpose |
|-------|---------|---------|
| `supabase-audit-realtime` | `/supabase-audit-realtime` | Test Realtime channels |
| `supabase-audit-functions` | `/supabase-audit-functions` | Test Edge Functions |

### Reporting

| Skill | Command | Purpose |
|-------|---------|---------|
| `supabase-report` | `/supabase-report` | Generate Markdown report |
| `supabase-report-compare` | `/supabase-report-compare <old> <new>` | Compare two reports |

## Severity Levels

| Level | Color | Description |
|-------|-------|-------------|
| **P0** | πŸ”΄ | Critical: data exposure, user data, privilege escalation |
| **P1** | 🟠 | High: sensitive data, security misconfiguration |
| **P2** | 🟑 | Medium: minor exposure, best practice violations |

## Common Workflows

### Quick Security Check

```
1. /supabase-detect https://myapp.com
2. /supabase-extract-anon-key
3. /supabase-audit-rls
4. /supabase-report
```

### Full Audit

```
1. /supabase-pentest https://myapp.com
   (Follow guided prompts through all phases)
```

### Storage-Only Audit

```
1. /supabase-detect https://myapp.com
2. /supabase-audit-buckets-list
3. /supabase-audit-buckets-public
4. /supabase-report
```

### Compare After Fixes

```
1. Copy previous report to reports/audit-v1.md
2. Run new audit: /supabase-pentest https://myapp.com
3. /supabase-report-compare reports/audit-v1.md supabase-audit-report.md
```

## Files and Directories Created

| File/Directory | Description |
|----------------|-------------|
| `.sb-pentest-context.json` | Shared context between skills |
| `.sb-pentest-audit.log` | Action log with timestamps |
| `.sb-pentest-evidence/` | **Evidence directory for professional audits** |
| `supabase-audit-report.md` | Final security report |

### Evidence Directory Structure

```
.sb-pentest-evidence/
β”œβ”€β”€ README.md                 # Evidence index
β”œβ”€β”€ curl-commands.sh          # Reproducible commands
β”œβ”€β”€ timeline.md               # Chronological findings
β”œβ”€β”€ 01-detection/             # Detection evidence
β”œβ”€β”€ 02-extraction/            # Key extraction evidence
β”œβ”€β”€ 03-api-audit/             # API audit evidence
β”œβ”€β”€ 04-storage-audit/         # Storage audit evidence
β”œβ”€β”€ 05-auth-audit/            # Auth audit evidence
β”œβ”€β”€ 06-realtime-audit/        # Realtime audit evidence
β”œβ”€β”€ 07-functions-audit/       # Functions audit evidence
└── screenshots/              # Optional screenshots
```

## Tips

1. **Always run detection first** β€” Most skills auto-invoke it, but it's faster to run explicitly
2. **Check the context file** β€” If a skill behaves unexpectedly, the context may have stale data
3. **Use the orchestrator for full audits** β€” It handles dependencies automatically
4. **Save reports with dates** β€” Rename `supabase-audit-report.md` to include the date for history

## Need More Help?

- Each skill has detailed documentation β€” run `/supabase-<skill-name>` for specifics
- Check the README at the repository root
- Open an issue on GitHub for bugs or feature requests

Overview

This skill provides a concise reference for 24 Supabase-focused security audit actions, their commands, and quick usage patterns. It’s designed to help penetration testers and security engineers find the right audit step fast and run reproducible workflows. The reference covers detection, key extraction, API/RLS testing, storage checks, auth checks, realtime/functions testing, and reporting.

How this skill works

The help skill lists each audit capability with its command and short purpose, so you can pick the exact tool for the job. It also summarizes common workflows, severity levels, file outputs, and the evidence directory layout to keep audits consistent and traceable. Use it as a launchpad for single checks or a full guided audit orchestrator.

When to use it

  • You need a quick overview of available Supabase audit skills and commands.
  • You want usage examples for a specific audit task (RLS, storage, auth, etc.).
  • You’re preparing a guided, reproducible audit and need the recommended workflows.
  • You need to know what files and evidence the tools produce for reporting.
  • You want severity guidance and prioritization for findings.

Best practices

  • Always run detection first to populate context and speed subsequent checks.
  • Keep the shared context file current to avoid stale or conflicting data.
  • Use the orchestrator command for full audits to automatically handle dependencies.
  • Save reports with dated filenames for historical comparisons and tracking.
  • Store all evidence into the documented evidence directory to preserve reproducibility.

Example use cases

  • Quick security check: detect Supabase, extract anon key, test RLS, then generate a report.
  • Full guided audit: run the orchestrator against a target URL and follow prompts through all phases.
  • Storage-only audit: detect, list buckets, find public buckets, then produce storage-focused evidence.
  • Regression comparison: run a new audit and compare current report with a previous report to validate fixes.
  • Credential discovery: extract anon/service keys and JWTs from target assets for further API testing.

FAQ

What is the recommended first step for an audit?

Run detection to confirm Supabase usage and populate the audit context before other checks.

How do I produce a final report?

Use the report command to generate a Markdown audit report; save it with a date or version for tracking.