supabase-help
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSupabase Pentest Skills Help
Supabase安全审计技能帮助文档
Quick reference for all 24 security audit skills.
所有24项安全审计技能的快速参考。
When to Use This Skill
何时使用本技能
- Need a quick overview of available skills
- Looking for the right skill for a specific task
- Want usage examples for a particular skill
- 需要快速了解可用技能的概况
- 为特定任务寻找合适的技能
- 想要查看特定技能的使用示例
Quick Start
快速开始
bash
undefinedbash
undefinedFull guided audit
全流程引导式审计
/supabase-pentest https://myapp.example.com
/supabase-pentest https://myapp.example.com
Check if app uses Supabase
检测应用是否使用Supabase
/supabase-detect https://myapp.example.com
/supabase-detect https://myapp.example.com
Generate report from previous audit
根据之前的审计生成报告
/supabase-report
undefined/supabase-report
undefinedAll Skills Reference
全技能参考
Orchestration
编排类技能
| Skill | Command | Purpose |
|---|---|---|
| | Full guided security audit |
| | Initialize evidence collection |
| | This help reference |
| 技能 | 命令 | 用途 |
|---|---|---|
| | 全流程引导式安全审计 |
| | 初始化证据收集 |
| | 本帮助参考手册 |
Detection
检测类技能
| Skill | Command | Purpose |
|---|---|---|
| | Detect Supabase usage |
| 技能 | 命令 | 用途 |
|---|---|---|
| | 检测Supabase使用情况 |
Extraction
提取类技能
| Skill | Command | Purpose |
|---|---|---|
| | Find Supabase project URL |
| | Extract anon API key |
| | Find leaked service key |
| | Extract JWTs from code |
| | Find DB connection strings |
| 技能 | 命令 | 用途 |
|---|---|---|
| | 查找Supabase项目URL |
| | 提取匿名API密钥 |
| | 查找泄露的服务密钥 |
| | 从代码中提取JWT |
| | 查找数据库连接字符串 |
API Audit
API审计类技能
| Skill | Command | Purpose |
|---|---|---|
| | List exposed tables |
| | Read table data |
| | Test RLS policies |
| | Test RPC functions |
| 技能 | 命令 | 用途 |
|---|---|---|
| | 列出暴露的表 |
| | 读取表数据 |
| | 测试RLS策略 |
| | 测试RPC函数 |
Storage Audit
存储审计类技能
| Skill | Command | Purpose |
|---|---|---|
| | List storage buckets |
| | Read bucket files |
| | Find public buckets |
| 技能 | 命令 | 用途 |
|---|---|---|
| | 列出存储桶 |
| | 读取存储桶文件 |
| | 查找公共存储桶 |
Auth Audit
认证审计类技能
| Skill | Command | Purpose |
|---|---|---|
| | Check auth settings |
| | Test signup access |
| | Test user enumeration |
| | Create test user to detect IDOR |
| 技能 | 命令 | 用途 |
|---|---|---|
| | 检查认证设置 |
| | 测试注册访问权限 |
| | 测试用户枚举 |
| | 创建测试用户以检测IDOR |
Realtime & Functions
实时服务与函数审计类技能
| Skill | Command | Purpose |
|---|---|---|
| | Test Realtime channels |
| | Test Edge Functions |
| 技能 | 命令 | 用途 |
|---|---|---|
| | 测试Realtime通道 |
| | 测试Edge Functions |
Reporting
报告类技能
| Skill | Command | Purpose |
|---|---|---|
| | Generate Markdown report |
| | Compare two reports |
| 技能 | 命令 | 用途 |
|---|---|---|
| | 生成Markdown报告 |
| | 对比两份报告 |
Severity Levels
严重程度等级
| Level | Color | Description |
|---|---|---|
| P0 | 🔴 | Critical: data exposure, user data, privilege escalation |
| P1 | 🟠 | High: sensitive data, security misconfiguration |
| P2 | 🟡 | Medium: minor exposure, best practice violations |
| 等级 | 颜色 | 描述 |
|---|---|---|
| P0 | 🔴 | 关键:数据泄露、用户数据风险、权限提升 |
| P1 | 🟠 | 高:敏感数据风险、安全配置错误 |
| P2 | 🟡 | 中:轻微数据泄露、违反最佳实践 |
Common Workflows
常见工作流程
Quick Security Check
快速安全检查
1. /supabase-detect https://myapp.com
2. /supabase-extract-anon-key
3. /supabase-audit-rls
4. /supabase-report1. /supabase-detect https://myapp.com
2. /supabase-extract-anon-key
3. /supabase-audit-rls
4. /supabase-reportFull Audit
完整审计流程
1. /supabase-pentest https://myapp.com
(Follow guided prompts through all phases)1. /supabase-pentest https://myapp.com
(按照引导提示完成所有阶段)Storage-Only Audit
仅存储审计流程
1. /supabase-detect https://myapp.com
2. /supabase-audit-buckets-list
3. /supabase-audit-buckets-public
4. /supabase-report1. /supabase-detect https://myapp.com
2. /supabase-audit-buckets-list
3. /supabase-audit-buckets-public
4. /supabase-reportCompare After Fixes
修复后对比流程
1. Copy previous report to reports/audit-v1.md
2. Run new audit: /supabase-pentest https://myapp.com
3. /supabase-report-compare reports/audit-v1.md supabase-audit-report.md1. 将之前的报告复制到reports/audit-v1.md
2. 运行新审计:/supabase-pentest https://myapp.com
3. /supabase-report-compare reports/audit-v1.md supabase-audit-report.mdFiles and Directories Created
创建的文件和目录
| File/Directory | Description |
|---|---|
| Shared context between skills |
| Action log with timestamps |
| Evidence directory for professional audits |
| Final security report |
| 文件/目录 | 描述 |
|---|---|
| 技能间共享的上下文数据 |
| 带时间戳的操作日志 |
| 专业审计用的证据目录 |
| 最终安全报告 |
Evidence Directory Structure
证据目录结构
.sb-pentest-evidence/
├── README.md # Evidence index
├── curl-commands.sh # Reproducible commands
├── timeline.md # Chronological findings
├── 01-detection/ # Detection evidence
├── 02-extraction/ # Key extraction evidence
├── 03-api-audit/ # API audit evidence
├── 04-storage-audit/ # Storage audit evidence
├── 05-auth-audit/ # Auth audit evidence
├── 06-realtime-audit/ # Realtime audit evidence
├── 07-functions-audit/ # Functions audit evidence
└── screenshots/ # Optional screenshots.sb-pentest-evidence/
├── README.md # 证据索引
├── curl-commands.sh # 可复现的命令
├── timeline.md # 按时间顺序排列的发现
├── 01-detection/ # 检测类证据
├── 02-extraction/ # 密钥提取类证据
├── 03-api-audit/ # API审计类证据
├── 04-storage-audit/ # 存储审计类证据
├── 05-auth-audit/ # 认证审计类证据
├── 06-realtime-audit/ # 实时服务审计类证据
├── 07-functions-audit/ # 函数审计类证据
└── screenshots/ # 可选截图目录Tips
提示
- Always run detection first — Most skills auto-invoke it, but it's faster to run explicitly
- Check the context file — If a skill behaves unexpectedly, the context may have stale data
- Use the orchestrator for full audits — It handles dependencies automatically
- Save reports with dates — Rename to include the date for history
supabase-audit-report.md
- 始终先运行检测命令 — 大多数技能会自动调用检测,但显式运行会更快
- 检查上下文文件 — 如果某个技能表现异常,可能是上下文文件中有过期数据
- 使用编排工具进行完整审计 — 它会自动处理依赖关系
- 给报告添加日期保存 — 将重命名并包含日期,以便留存历史记录
supabase-audit-report.md
Need More Help?
需要更多帮助?
- Each skill has detailed documentation — run for specifics
/supabase-<skill-name> - Check the README at the repository root
- Open an issue on GitHub for bugs or feature requests
- 每个技能都有详细文档 — 运行查看详情
/supabase-<skill-name> - 查看仓库根目录的README文件
- 在GitHub上提交issue反馈bug或请求功能