supabase-help
57
总安装量
57
周安装量
#3801
全站排名
安装命令
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-help
Agent 安装分布
claude-code
48
codex
30
opencode
29
antigravity
23
cursor
22
Skill 文档
Supabase Pentest Skills Help
Quick reference for all 24 security audit skills.
When to Use This Skill
- Need a quick overview of available skills
- Looking for the right skill for a specific task
- Want usage examples for a particular skill
Quick Start
# Full guided audit
/supabase-pentest https://myapp.example.com
# Check if app uses Supabase
/supabase-detect https://myapp.example.com
# Generate report from previous audit
/supabase-report
All Skills Reference
Orchestration
| Skill | Command | Purpose |
|---|---|---|
supabase-pentest |
/supabase-pentest <url> |
Full guided security audit |
supabase-evidence |
/supabase-evidence |
Initialize evidence collection |
supabase-help |
/supabase-help |
This help reference |
Detection
| Skill | Command | Purpose |
|---|---|---|
supabase-detect |
/supabase-detect <url> |
Detect Supabase usage |
Extraction
| Skill | Command | Purpose |
|---|---|---|
supabase-extract-url |
/supabase-extract-url <url> |
Find Supabase project URL |
supabase-extract-anon-key |
/supabase-extract-anon-key |
Extract anon API key |
supabase-extract-service-key |
/supabase-extract-service-key |
Find leaked service key |
supabase-extract-jwt |
/supabase-extract-jwt |
Extract JWTs from code |
supabase-extract-db-string |
/supabase-extract-db-string |
Find DB connection strings |
API Audit
| Skill | Command | Purpose |
|---|---|---|
supabase-audit-tables-list |
/supabase-audit-tables-list |
List exposed tables |
supabase-audit-tables-read |
/supabase-audit-tables-read |
Read table data |
supabase-audit-rls |
/supabase-audit-rls |
Test RLS policies |
supabase-audit-rpc |
/supabase-audit-rpc |
Test RPC functions |
Storage Audit
| Skill | Command | Purpose |
|---|---|---|
supabase-audit-buckets-list |
/supabase-audit-buckets-list |
List storage buckets |
supabase-audit-buckets-read |
/supabase-audit-buckets-read |
Read bucket files |
supabase-audit-buckets-public |
/supabase-audit-buckets-public |
Find public buckets |
Auth Audit
| Skill | Command | Purpose |
|---|---|---|
supabase-audit-auth-config |
/supabase-audit-auth-config |
Check auth settings |
supabase-audit-auth-signup |
/supabase-audit-auth-signup |
Test signup access |
supabase-audit-auth-users |
/supabase-audit-auth-users |
Test user enumeration |
supabase-audit-authenticated |
/supabase-audit-authenticated |
Create test user to detect IDOR |
Realtime & Functions
| Skill | Command | Purpose |
|---|---|---|
supabase-audit-realtime |
/supabase-audit-realtime |
Test Realtime channels |
supabase-audit-functions |
/supabase-audit-functions |
Test Edge Functions |
Reporting
| Skill | Command | Purpose |
|---|---|---|
supabase-report |
/supabase-report |
Generate Markdown report |
supabase-report-compare |
/supabase-report-compare <old> <new> |
Compare two reports |
Severity Levels
| Level | Color | Description |
|---|---|---|
| P0 | ð´ | Critical: data exposure, user data, privilege escalation |
| P1 | ð | High: sensitive data, security misconfiguration |
| P2 | ð¡ | Medium: minor exposure, best practice violations |
Common Workflows
Quick Security Check
1. /supabase-detect https://myapp.com
2. /supabase-extract-anon-key
3. /supabase-audit-rls
4. /supabase-report
Full Audit
1. /supabase-pentest https://myapp.com
(Follow guided prompts through all phases)
Storage-Only Audit
1. /supabase-detect https://myapp.com
2. /supabase-audit-buckets-list
3. /supabase-audit-buckets-public
4. /supabase-report
Compare After Fixes
1. Copy previous report to reports/audit-v1.md
2. Run new audit: /supabase-pentest https://myapp.com
3. /supabase-report-compare reports/audit-v1.md supabase-audit-report.md
Files and Directories Created
| File/Directory | Description |
|---|---|
.sb-pentest-context.json |
Shared context between skills |
.sb-pentest-audit.log |
Action log with timestamps |
.sb-pentest-evidence/ |
Evidence directory for professional audits |
supabase-audit-report.md |
Final security report |
Evidence Directory Structure
.sb-pentest-evidence/
âââ README.md # Evidence index
âââ curl-commands.sh # Reproducible commands
âââ timeline.md # Chronological findings
âââ 01-detection/ # Detection evidence
âââ 02-extraction/ # Key extraction evidence
âââ 03-api-audit/ # API audit evidence
âââ 04-storage-audit/ # Storage audit evidence
âââ 05-auth-audit/ # Auth audit evidence
âââ 06-realtime-audit/ # Realtime audit evidence
âââ 07-functions-audit/ # Functions audit evidence
âââ screenshots/ # Optional screenshots
Tips
- Always run detection first â Most skills auto-invoke it, but it’s faster to run explicitly
- Check the context file â If a skill behaves unexpectedly, the context may have stale data
- Use the orchestrator for full audits â It handles dependencies automatically
- Save reports with dates â Rename
supabase-audit-report.mdto include the date for history
Need More Help?
- Each skill has detailed documentation â run
/supabase-<skill-name>for specifics - Check the README at the repository root
- Open an issue on GitHub for bugs or feature requests