supabase-extract-url
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSupabase URL Extraction
Supabase URL提取
🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIREDYou MUST write to context files AS YOU GO, not just at the end.
- Write to
IMMEDIATELY after each discovery.sb-pentest-context.json- Log to
BEFORE and AFTER each action.sb-pentest-audit.log- DO NOT wait until the skill completes to update files
- If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill extracts the Supabase project URL from a web application's client-side code.
🔴 重要提示:需逐步更新文件你必须在操作过程中随时写入上下文文件,而不是仅在最后统一写入。
- 每次发现信息后立即写入
.sb-pentest-context.json- 每次操作前后都要记录到
.sb-pentest-audit.log- 不要等到技能完成后再更新文件
- 如果技能崩溃或被中断,所有已发现的内容必须已保存
此要求为强制项。未逐步写入文件属于严重错误。
本技能用于从Web应用的客户端代码中提取Supabase项目URL。
When to Use This Skill
何时使用本技能
- After detecting Supabase usage, to get the exact project URL
- When you need the API base URL for further testing
- To identify which Supabase project an application uses
- 检测到Supabase使用后,获取准确的项目URL
- 当你需要API基础URL进行进一步测试时
- 识别应用所使用的Supabase项目
Prerequisites
前提条件
- Target URL accessible
- Supabase usage detected (or suspected)
- 目标URL可访问
- 已检测到(或怀疑存在)Supabase使用
How It Works
工作原理
The skill scans for URL patterns in:
本技能会扫描以下位置的URL模式:
1. JavaScript Source Code
1. JavaScript源代码
javascript
// Direct URL references
const SUPABASE_URL = 'https://abc123.supabase.co'
createClient('https://abc123.supabase.co', key)
// Environment variable patterns
process.env.SUPABASE_URL
process.env.NEXT_PUBLIC_SUPABASE_URL
import.meta.env.VITE_SUPABASE_URLjavascript
// 直接引用URL
const SUPABASE_URL = 'https://abc123.supabase.co'
createClient('https://abc123.supabase.co', key)
// 环境变量模式
process.env.SUPABASE_URL
process.env.NEXT_PUBLIC_SUPABASE_URL
import.meta.env.VITE_SUPABASE_URL2. HTML Meta Tags and Scripts
2. HTML元标签和脚本
html
<meta name="supabase-url" content="https://abc123.supabase.co">
<script>
window.SUPABASE_URL = 'https://abc123.supabase.co'
</script>html
<meta name="supabase-url" content="https://abc123.supabase.co">
<script>
window.SUPABASE_URL = 'https://abc123.supabase.co'
</script>3. Configuration Objects
3. 配置对象
javascript
const config = {
supabase: {
url: 'https://abc123.supabase.co'
}
}javascript
const config = {
supabase: {
url: 'https://abc123.supabase.co'
}
}URL Pattern Matching
URL模式匹配
Recognized patterns:
| Pattern | Example |
|---|---|
| Standard | |
| With region | |
| Custom domain | Detected via API endpoint patterns |
可识别的模式:
| 模式 | 示例 |
|---|---|
| 标准模式 | |
| 带区域的模式 | |
| 自定义域名 | 通过API端点模式检测 |
Usage
使用方法
Basic Extraction
基础提取
Extract Supabase URL from https://myapp.example.com从https://myapp.example.com提取Supabase URLFrom Local Files
从本地文件提取
If you have downloaded the source:
Extract Supabase URL from ./dist/assets/如果你已下载源代码:
从./dist/assets/提取Supabase URLOutput Format
输出格式
═══════════════════════════════════════════════════════════
SUPABASE URL EXTRACTED
═══════════════════════════════════════════════════════════
Project URL: https://abc123def.supabase.co
Project Ref: abc123def
Region: us-east-1 (inferred)
Found in:
├── /static/js/main.abc123.js (line 1247)
│ └── const SUPABASE_URL = 'https://abc123def.supabase.co'
│
└── /static/js/chunk.def456.js (line 89)
└── createClient('https://abc123def.supabase.co', ...)
API Endpoints:
├── REST API: https://abc123def.supabase.co/rest/v1/
├── Auth API: https://abc123def.supabase.co/auth/v1/
├── Storage: https://abc123def.supabase.co/storage/v1/
└── Realtime: wss://abc123def.supabase.co/realtime/v1/
Context updated: .sb-pentest-context.json
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
已提取Supabase URL
═══════════════════════════════════════════════════════════
项目URL: https://abc123def.supabase.co
项目标识: abc123def
区域: us-east-1(推断)
发现位置:
├── /static/js/main.abc123.js(第1247行)
│ └── const SUPABASE_URL = 'https://abc123def.supabase.co'
│
└── /static/js/chunk.def456.js(第89行)
└── createClient('https://abc123def.supabase.co', ...)
API端点:
├── REST API: https://abc123def.supabase.co/rest/v1/
├── Auth API: https://abc123def.supabase.co/auth/v1/
├── 存储服务: https://abc123def.supabase.co/storage/v1/
└── 实时服务: wss://abc123def.supabase.co/realtime/v1/
上下文已更新: .sb-pentest-context.json
═══════════════════════════════════════════════════════════Context Output
上下文输出
Saved to :
.sb-pentest-context.jsonjson
{
"supabase": {
"project_url": "https://abc123def.supabase.co",
"project_ref": "abc123def",
"region": "us-east-1",
"endpoints": {
"rest": "https://abc123def.supabase.co/rest/v1/",
"auth": "https://abc123def.supabase.co/auth/v1/",
"storage": "https://abc123def.supabase.co/storage/v1/",
"realtime": "wss://abc123def.supabase.co/realtime/v1/",
"functions": "https://abc123def.supabase.co/functions/v1/"
},
"sources": [
{
"file": "/static/js/main.abc123.js",
"line": 1247,
"context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
}
]
}
}保存至:
.sb-pentest-context.jsonjson
{
"supabase": {
"project_url": "https://abc123def.supabase.co",
"project_ref": "abc123def",
"region": "us-east-1",
"endpoints": {
"rest": "https://abc123def.supabase.co/rest/v1/",
"auth": "https://abc123def.supabase.co/auth/v1/",
"storage": "https://abc123def.supabase.co/storage/v1/",
"realtime": "wss://abc123def.supabase.co/realtime/v1/",
"functions": "https://abc123def.supabase.co/functions/v1/"
},
"sources": [
{
"file": "/static/js/main.abc123.js",
"line": 1247,
"context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
}
]
}
}Multiple URLs
多个URL的情况
If multiple Supabase URLs are found:
═══════════════════════════════════════════════════════════
MULTIPLE SUPABASE URLS FOUND
═══════════════════════════════════════════════════════════
⚠️ Multiple Supabase projects detected
1. https://abc123.supabase.co (primary - most references)
└── Found in: main.js, config.js
2. https://xyz789.supabase.co (secondary)
└── Found in: analytics.js
Using primary URL for further analysis.
To use a different URL, specify it manually.
═══════════════════════════════════════════════════════════如果发现多个Supabase URL:
═══════════════════════════════════════════════════════════
发现多个Supabase URL
═══════════════════════════════════════════════════════════
⚠️ 检测到多个Supabase项目
1. https://abc123.supabase.co(主项目 - 引用次数最多)
└── 发现位置: main.js, config.js
2. https://xyz789.supabase.co(次要项目)
└── 发现位置: analytics.js
将使用主项目URL进行后续分析。
如需使用其他URL,请手动指定。
═══════════════════════════════════════════════════════════Validation
验证
The skill validates extracted URLs by:
- Format check — Matches expected Supabase URL patterns
- Reachability check — Attempts to reach the REST API endpoint
- Response validation — Confirms Supabase-like response
Validation:
├── Format: ✅ Valid Supabase URL format
├── Reachable: ✅ REST API responds (200 OK)
└── Confirmed: ✅ Response matches Supabase pattern本技能通过以下方式验证提取的URL:
- 格式检查 — 匹配预期的Supabase URL模式
- 可达性检查 — 尝试访问REST API端点
- 响应验证 — 确认响应符合Supabase特征
验证结果:
├── 格式: ✅ 有效的Supabase URL格式
├── 可达性: ✅ REST API响应正常(200 OK)
└── 确认: ✅ 响应符合Supabase特征Common Issues
常见问题
❌ Problem: URL not found despite Supabase detection
✅ Solution: The URL may be in a dynamically loaded chunk. Try:
Extract URL with deep scan from https://myapp.example.com❌ Problem: URL found but validation fails
✅ Solution: The project may be paused or the region may have connectivity issues. The URL is still recorded.
❌ Problem: Only custom domain found
✅ Solution: Custom domains are valid. The skill will note it as a custom domain and attempt to identify the underlying project.
❌ 问题: 已检测到Supabase使用但未找到URL
✅ 解决方案: URL可能在动态加载的代码块中。尝试:
从https://myapp.example.com进行深度扫描提取URL❌ 问题: 找到URL但验证失败
✅ 解决方案: 项目可能已暂停或区域存在连接问题。URL仍会被记录。
❌ 问题: 仅找到自定义域名
✅ 解决方案: 自定义域名是有效的。本技能会将其标记为自定义域名,并尝试识别底层项目。
Security Notes
安全说明
- This skill only reads publicly available code
- No authentication is attempted
- The URL alone does not grant access (key is also required)
- 本技能仅读取公开可用的代码
- 不会尝试任何认证操作
- 仅获取URL并不会授予访问权限(还需要密钥)
Next Steps
后续步骤
After extracting the URL:
- Run to find the API key
supabase-extract-anon-key - Run to check for leaked service keys
supabase-extract-service-key - Proceed to API auditing skills
提取URL后:
- 运行来查找API密钥
supabase-extract-anon-key - 运行检查是否存在服务密钥泄露
supabase-extract-service-key - 继续使用API审计技能
MANDATORY: Progressive Context File Updates
强制要求:逐步更新上下文文件
⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
⚠️ 本技能必须在执行过程中逐步更新跟踪文件,而不是仅在最后统一更新。
Critical Rule: Write As You Go
核心规则:随时写入
DO NOT batch all writes at the end. Instead:
- Before starting any action → Log the action to
.sb-pentest-audit.log - After each discovery → Immediately update
.sb-pentest-context.json - After each significant step → Log completion to
.sb-pentest-audit.log
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
不要批量在最后写入。而是:
- 开始任何操作前 → 将操作记录到
.sb-pentest-audit.log - 每次发现信息后 → 立即更新
.sb-pentest-context.json - 完成每个重要步骤后 → 将完成情况记录到
.sb-pentest-audit.log
这样可以确保如果技能崩溃、被中断或超时,所有已发现的内容都已保存。
Required Actions (Progressive)
强制执行的操作(逐步进行)
-
Updatewith extracted data:
.sb-pentest-context.jsonjson{ "supabase": { "project_url": "https://[ref].supabase.co", "project_ref": "[ref]", "endpoints": { ... } } } -
Log to:
.sb-pentest-audit.log[TIMESTAMP] [supabase-extract-url] [START] Beginning URL extraction [TIMESTAMP] [supabase-extract-url] [SUCCESS] URL extracted: https://[ref].supabase.co [TIMESTAMP] [supabase-extract-url] [CONTEXT_UPDATED] .sb-pentest-context.json updated -
If files don't exist, create them before writing.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
-
更新保存提取的数据:
.sb-pentest-context.jsonjson{ "supabase": { "project_url": "https://[ref].supabase.co", "project_ref": "[ref]", "endpoints": { ... } } } -
记录到:
.sb-pentest-audit.log[时间戳] [supabase-extract-url] [开始] 开始提取URL [时间戳] [supabase-extract-url] [成功] 已提取URL: https://[ref].supabase.co [时间戳] [supabase-extract-url] [上下文已更新] .sb-pentest-context.json已更新 -
如果文件不存在,在写入前先创建。
未更新上下文文件的行为是不被允许的。
MANDATORY: Evidence Collection
强制要求:证据收集
📁 Evidence Directory:
.sb-pentest-evidence/02-extraction/📁 证据目录:
.sb-pentest-evidence/02-extraction/Evidence Files to Create
需要创建的证据文件
| File | Content |
|---|---|
| URL extraction details with source locations |
| 文件 | 内容 |
|---|---|
| URL提取详情及来源位置 |
Evidence Format
证据格式
json
{
"evidence_id": "EXT-URL-001",
"timestamp": "2025-01-31T10:05:00Z",
"category": "extraction",
"type": "url_extraction",
"extracted_data": {
"project_url": "https://abc123def.supabase.co",
"project_ref": "abc123def",
"region": "us-east-1"
},
"sources": [
{
"file": "/static/js/main.js",
"line": 1247,
"context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
}
],
"endpoints_discovered": {
"rest": "https://abc123def.supabase.co/rest/v1/",
"auth": "https://abc123def.supabase.co/auth/v1/",
"storage": "https://abc123def.supabase.co/storage/v1/",
"realtime": "wss://abc123def.supabase.co/realtime/v1/"
}
}json
{
"evidence_id": "EXT-URL-001",
"timestamp": "2025-01-31T10:05:00Z",
"category": "extraction",
"type": "url_extraction",
"extracted_data": {
"project_url": "https://abc123def.supabase.co",
"project_ref": "abc123def",
"region": "us-east-1"
},
"sources": [
{
"file": "/static/js/main.js",
"line": 1247,
"context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
}
],
"endpoints_discovered": {
"rest": "https://abc123def.supabase.co/rest/v1/",
"auth": "https://abc123def.supabase.co/auth/v1/",
"storage": "https://abc123def.supabase.co/storage/v1/",
"realtime": "wss://abc123def.supabase.co/realtime/v1/"
}
}Related Skills
相关技能
- — Detect Supabase usage first
supabase-detect - — Extract the anon key
supabase-extract-anon-key - — Check for service key leaks
supabase-extract-service-key
- — 先检测是否使用Supabase
supabase-detect - — 提取匿名密钥
supabase-extract-anon-key - — 检查服务密钥泄露情况
supabase-extract-service-key