Supabase Detection

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.
Write to
.sb-pentest-context.json
IMMEDIATELY after each discovery
Log to
.sb-pentest-audit.log
BEFORE and AFTER each action
DO NOT wait until the skill completes to update files

If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.

This skill determines whether a web application uses Supabase as its backend.

When to Use This Skill

Starting a security audit on an unknown application
Verifying Supabase usage before running other audit skills
Quickly checking multiple applications for Supabase presence

Prerequisites

Target URL must be publicly accessible
Internet connection to fetch and analyze the target

Detection Methods

The skill uses multiple detection vectors:

1. Domain Pattern Matching

Searches for Supabase-related domains in:

HTML source code
JavaScript bundles
Network requests (via inline scripts)

Patterns detected:

*.supabase.co
*.supabase.com
supabase-cdn.com

2. JavaScript Client Detection

Looks for Supabase client library signatures:

javascript

// Import patterns
import { createClient } from '@supabase/supabase-js'
const { createClient } = require('@supabase/supabase-js')

// Client initialization
supabase.createClient(
createClient('https://
SUPABASE_URL
NEXT_PUBLIC_SUPABASE
VITE_SUPABASE
REACT_APP_SUPABASE

3. API Endpoint Detection

Checks for characteristic Supabase endpoints:

/rest/v1/
/auth/v1/
/storage/v1/
/realtime/v1/
/functions/v1/

4. Response Header Analysis

Looks for Supabase-specific headers:

x-supabase-*
sb-*

Usage

Basic Detection

Check if https://myapp.example.com uses Supabase

Detection with Verbose Output

Detect Supabase on https://myapp.example.com with full details

Output Format

Supabase Detected

═══════════════════════════════════════════════════════════
 SUPABASE DETECTED
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ✅ Supabase usage confirmed

 Detection Evidence:
 ├── Domain: abc123def.supabase.co (found in main.js)
 ├── Client: @supabase/supabase-js v2.x detected
 ├── Endpoints: /rest/v1/, /auth/v1/, /storage/v1/
 └── Headers: x-supabase-api-version present

 Project Reference: abc123def
 Project URL: https://abc123def.supabase.co

 Context saved to: .sb-pentest-context.json
═══════════════════════════════════════════════════════════

Supabase Not Detected

═══════════════════════════════════════════════════════════
 DETECTION RESULT
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ❌ Supabase not detected

 Scanned:
 ├── HTML source: No Supabase patterns
 ├── JavaScript bundles: 3 files analyzed, no matches
 ├── Network patterns: No Supabase endpoints
 └── Response headers: No Supabase headers

 Note: The app may use a self-hosted Supabase or custom domain.
       Try providing a known Supabase URL manually if you have one.
═══════════════════════════════════════════════════════════

Context Output

When Supabase is detected, the skill saves to

.sb-pentest-context.json

json

{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "2025-01-31T10:00:00Z",
    "evidence": [
      {
        "type": "domain",
        "value": "abc123def.supabase.co",
        "location": "/static/js/main.js",
        "line": 1247
      },
      {
        "type": "client_library",
        "value": "@supabase/supabase-js",
        "version": "2.x"
      }
    ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

Audit Log Entry

Each detection is logged to

.sb-pentest-audit.log

[2025-01-31T10:00:00Z] DETECTION_START target=https://myapp.example.com
[2025-01-31T10:00:01Z] FETCH_HTML status=200 size=45KB
[2025-01-31T10:00:02Z] FETCH_JS file=main.js status=200 size=1.2MB
[2025-01-31T10:00:03Z] PATTERN_MATCH type=domain value=abc123def.supabase.co
[2025-01-31T10:00:03Z] DETECTION_COMPLETE result=detected confidence=high

Confidence Levels

Level	Criteria
High	Multiple evidence types (domain + client + endpoints)
Medium	Single strong evidence (domain or explicit client init)
Low	Only indirect evidence (generic patterns, possible false positive)

Edge Cases

Custom Domains

Some Supabase projects use custom domains (e.g.,

api.mycompany.com

). In this case:

Detect Supabase on https://myapp.com with custom API domain api.mycompany.com

Self-Hosted Supabase

Self-hosted instances won't have

.supabase.co

domains. Look for:

PostgREST patterns (
```
/rest/v1/
```
)
GoTrue auth patterns (
```
/auth/v1/
```
)
Supabase client library in code

Single Page Applications

For SPAs with lazy-loaded chunks:

Detect Supabase on https://myapp.com including all JS chunks

Common Issues

❌ Problem: Detection returns false negative on SPA ✅ Solution: The app may lazy-load Supabase. Try interacting with the app first to load all chunks, or provide known patterns.

❌ Problem: Multiple Supabase projects detected ✅ Solution: This can happen with multi-tenant setups. The skill will list all found projects.

❌ Problem: Detection is slow ✅ Solution: Large JS bundles take time to analyze. Use

--quick

mode for faster but less thorough detection:

Quick detect Supabase on https://myapp.com

Next Steps

After detection:

Run
```
supabase-extract-url
```
to confirm and extract the project URL
Run
```
supabase-extract-anon-key
```
to find the API key
Or use
```
supabase-pentest
```
for a full guided audit

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

Before starting any action → Log the action to
```
.sb-pentest-audit.log
```
After each discovery → Immediately update
```
.sb-pentest-context.json
```
After each significant step → Log completion to
```
.sb-pentest-audit.log
```

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

Create/Update
.sb-pentest-context.json
with results:

json

{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "...",
    "evidence": [ ... ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

Create/Log to
.sb-pentest-audit.log
:

[TIMESTAMP] [supabase-detect] [START] Starting Supabase detection
[TIMESTAMP] [supabase-detect] [SUCCESS] Supabase detected with high confidence
[TIMESTAMP] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json created/updated

IMPORTANT: As the first skill in the audit chain, this skill is responsible for creating the context files if they don't exist.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

📁 Evidence Directory:

.sb-pentest-evidence/01-detection/

Evidence Files to Create

File	Content
`initial-scan.json`	Raw detection results with all evidence
`supabase-endpoints.txt`	List of discovered Supabase endpoints
`client-code-snippets/`	Directory with relevant code excerpts

Evidence Format

json

{
  "evidence_id": "DET-001",
  "timestamp": "2025-01-31T10:00:00Z",
  "category": "detection",
  "target_url": "https://myapp.example.com",

  "detection_results": {
    "supabase_detected": true,
    "confidence": "high",
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },

  "evidence": [
    {
      "type": "domain_pattern",
      "value": "abc123def.supabase.co",
      "location": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    },
    {
      "type": "client_library",
      "value": "@supabase/supabase-js",
      "version": "2.x"
    }
  ],

  "curl_command": "curl -s 'https://abc123def.supabase.co/rest/v1/' -H 'apikey: [ANON_KEY]'"
}

Add to curl-commands.sh

bash

# === DETECTION ===
# Check Supabase API availability
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100

Add to timeline.md

markdown

## [TIMESTAMP] - Detection Phase Complete
- Supabase detected with [confidence] confidence
- Project: [project_ref]
- Evidence: `01-detection/initial-scan.json`

Related Skills

```
supabase-extract-url
```
— Extract project URL from code
```
supabase-extract-anon-key
```
— Find anon key
```
supabase-pentest
```
— Full orchestrated audit

supabase-detect

NPX Install

Tags

SKILL.md Content

Supabase Detection

When to Use This Skill

Prerequisites

Detection Methods

1. Domain Pattern Matching

2. JavaScript Client Detection

3. API Endpoint Detection

4. Response Header Analysis

Usage

Basic Detection

Detection with Verbose Output

Output Format

Supabase Detected

Supabase Not Detected

Context Output

Audit Log Entry

Confidence Levels

Edge Cases

Custom Domains

Self-Hosted Supabase

Single Page Applications

Common Issues

Next Steps

MANDATORY: Progressive Context File Updates

Critical Rule: Write As You Go

Required Actions (Progressive)

MANDATORY: Evidence Collection

Evidence Files to Create

Evidence Format

Add to curl-commands.sh

Add to timeline.md

Related Skills