Supabase Security Audit Toolkit

Main entry point for auditing Supabase application security.

Quick Start

# Full guided audit (recommended)
/supabase https://myapp.example.com

# Quick security check
/supabase check https://myapp.example.com

# Help and skills reference
/supabase help

Execution Modes

1. Full Audit (/supabase <url>)

Launches a complete security audit in 7 phases:

Action: Equivalent to /supabase-pentest <url>

2. Quick Check (/supabase check <url>)

Performs a rapid security check in 3 steps:

1. Detection – Confirms Supabase usage
2. Extraction – Retrieves URL and anon key
3. RLS Test – Verifies basic security policies

Result: Quick security overview without full report.

3. Help (/supabase help)

Displays the complete reference for all 24 available skills.

Action: Equivalent to /supabase-help

Skills Tree

supabase/                    ← YOU ARE HERE (entry point)
│
├── orchestration/
│   ├── supabase-pentest     → Full guided audit
│   └── supabase-help        → Quick reference
│
├── evidence/
│   └── supabase-evidence    → Evidence management
│
├── detection/
│   └── supabase-detect      → Supabase detection
│
├── extraction/
│   ├── supabase-extract-url         → Project URL
│   ├── supabase-extract-anon-key    → Anon key (expected)
│   ├── supabase-extract-service-key → Service key (P0!)
│   ├── supabase-extract-jwt         → JWT tokens
│   └── supabase-extract-db-string   → DB connection (P0!)
│
├── audit-api/
│   ├── supabase-audit-tables-list   → Table listing
│   ├── supabase-audit-tables-read   → Data reading
│   ├── supabase-audit-rls           → RLS policies
│   └── supabase-audit-rpc           → RPC functions
│
├── audit-storage/
│   ├── supabase-audit-buckets-list   → Bucket listing
│   ├── supabase-audit-buckets-read   → File reading
│   └── supabase-audit-buckets-public → Public buckets
│
├── audit-auth/
│   ├── supabase-audit-auth-config    → Auth configuration
│   ├── supabase-audit-auth-signup    → Signup testing
│   ├── supabase-audit-auth-users     → User enumeration
│   └── supabase-audit-authenticated  → IDOR testing (with user)
│
├── audit-realtime/
│   └── supabase-audit-realtime       → WebSocket channels
│
├── audit-functions/
│   └── supabase-audit-functions      → Edge Functions
│
└── report/
    ├── supabase-report               → Report generation
    └── supabase-report-compare       → Report comparison

Severity Levels

Generated Files

Common Workflows

Complete Security Audit

/supabase https://myapp.example.com
→ Follow guided steps
→ Report generated automatically

Pre-Production Check

/supabase check https://staging.myapp.com
→ Quick result in ~2 minutes

Storage-Focused Audit

/supabase-detect https://myapp.com
/supabase-audit-buckets-list
/supabase-audit-buckets-public

Comparison After Fixes

# Save previous report
mv supabase-audit-report.md audit-before.md

# Run new audit
/supabase https://myapp.com

# Compare
/supabase-report-compare audit-before.md supabase-audit-report.md

Prerequisites

• Public URL of the target application
• Authorization to test (owner or explicit permission)
• Internet connection

Security Notice

⚠️  AUTHORIZATION REQUIRED

Unauthorized security testing may violate laws
and terms of service.

Confirm you are authorized to test this application.

Direct Skill Access

Each skill can be invoked individually:

/supabase-detect <url>           # Detection
/supabase-extract-anon-key       # Key extraction
/supabase-audit-rls              # RLS testing
/supabase-report                 # Report generation

For the complete list: /supabase help or /supabase-help

Support

• Documentation: Check the repository README
• Issues: Open an issue on GitHub
• Each skill has its own detailed documentation