Supabase Pentest Skills Help

Quick reference for all 24 security audit skills.

When to Use This Skill

Need a quick overview of available skills
Looking for the right skill for a specific task
Want usage examples for a particular skill

Quick Start

bash

# Full guided audit
/supabase-pentest https://myapp.example.com

# Check if app uses Supabase
/supabase-detect https://myapp.example.com

# Generate report from previous audit
/supabase-report

All Skills Reference

Orchestration

Skill	Command	Purpose
`supabase-pentest`	`/supabase-pentest <url>`	Full guided security audit
`supabase-evidence`	`/supabase-evidence`	Initialize evidence collection
`supabase-help`	`/supabase-help`	This help reference

Detection

Skill	Command	Purpose
`supabase-detect`	`/supabase-detect <url>`	Detect Supabase usage

Extraction

Skill	Command	Purpose
`supabase-extract-url`	`/supabase-extract-url <url>`	Find Supabase project URL
`supabase-extract-anon-key`	`/supabase-extract-anon-key`	Extract anon API key
`supabase-extract-service-key`	`/supabase-extract-service-key`	Find leaked service key
`supabase-extract-jwt`	`/supabase-extract-jwt`	Extract JWTs from code
`supabase-extract-db-string`	`/supabase-extract-db-string`	Find DB connection strings

API Audit

Skill	Command	Purpose
`supabase-audit-tables-list`	`/supabase-audit-tables-list`	List exposed tables
`supabase-audit-tables-read`	`/supabase-audit-tables-read`	Read table data
`supabase-audit-rls`	`/supabase-audit-rls`	Test RLS policies
`supabase-audit-rpc`	`/supabase-audit-rpc`	Test RPC functions

Storage Audit

Skill	Command	Purpose
`supabase-audit-buckets-list`	`/supabase-audit-buckets-list`	List storage buckets
`supabase-audit-buckets-read`	`/supabase-audit-buckets-read`	Read bucket files
`supabase-audit-buckets-public`	`/supabase-audit-buckets-public`	Find public buckets

Auth Audit

Skill	Command	Purpose
`supabase-audit-auth-config`	`/supabase-audit-auth-config`	Check auth settings
`supabase-audit-auth-signup`	`/supabase-audit-auth-signup`	Test signup access
`supabase-audit-auth-users`	`/supabase-audit-auth-users`	Test user enumeration
`supabase-audit-authenticated`	`/supabase-audit-authenticated`	Create test user to detect IDOR

Realtime & Functions

Skill	Command	Purpose
`supabase-audit-realtime`	`/supabase-audit-realtime`	Test Realtime channels
`supabase-audit-functions`	`/supabase-audit-functions`	Test Edge Functions

Reporting

Skill	Command	Purpose
`supabase-report`	`/supabase-report`	Generate Markdown report
`supabase-report-compare`	`/supabase-report-compare <old> <new>`	Compare two reports

Severity Levels

Level	Color	Description
P0	🔴	Critical: data exposure, user data, privilege escalation
P1	🟠	High: sensitive data, security misconfiguration
P2	🟡	Medium: minor exposure, best practice violations

Common Workflows

Quick Security Check

1. /supabase-detect https://myapp.com
2. /supabase-extract-anon-key
3. /supabase-audit-rls
4. /supabase-report

Full Audit

1. /supabase-pentest https://myapp.com
   (Follow guided prompts through all phases)

Storage-Only Audit

1. /supabase-detect https://myapp.com
2. /supabase-audit-buckets-list
3. /supabase-audit-buckets-public
4. /supabase-report

Compare After Fixes

1. Copy previous report to reports/audit-v1.md
2. Run new audit: /supabase-pentest https://myapp.com
3. /supabase-report-compare reports/audit-v1.md supabase-audit-report.md

Files and Directories Created

File/Directory	Description
`.sb-pentest-context.json`	Shared context between skills
`.sb-pentest-audit.log`	Action log with timestamps
`.sb-pentest-evidence/`	Evidence directory for professional audits
`supabase-audit-report.md`	Final security report

Evidence Directory Structure

.sb-pentest-evidence/
├── README.md                 # Evidence index
├── curl-commands.sh          # Reproducible commands
├── timeline.md               # Chronological findings
├── 01-detection/             # Detection evidence
├── 02-extraction/            # Key extraction evidence
├── 03-api-audit/             # API audit evidence
├── 04-storage-audit/         # Storage audit evidence
├── 05-auth-audit/            # Auth audit evidence
├── 06-realtime-audit/        # Realtime audit evidence
├── 07-functions-audit/       # Functions audit evidence
└── screenshots/              # Optional screenshots

Tips

Always run detection first — Most skills auto-invoke it, but it's faster to run explicitly
Check the context file — If a skill behaves unexpectedly, the context may have stale data
Use the orchestrator for full audits — It handles dependencies automatically
Save reports with dates — Rename
```
supabase-audit-report.md
```
to include the date for history

Need More Help?

Each skill has detailed documentation — run
```
/supabase-<skill-name>
```
for specifics
Check the README at the repository root
Open an issue on GitHub for bugs or feature requests

supabase-help

NPX Install

Tags

SKILL.md Content

Supabase Pentest Skills Help

When to Use This Skill

Quick Start

All Skills Reference

Orchestration

Detection

Extraction

API Audit

Storage Audit

Auth Audit

Realtime & Functions

Reporting

Severity Levels

Common Workflows

Quick Security Check

Full Audit

Storage-Only Audit

Compare After Fixes

Files and Directories Created

Evidence Directory Structure

Tips

Need More Help?