Supabase 安全审计编排器 | 自动化渗透测试与渐进式文档管理

supabase-pentest by yoanbernabeu/supabase-pentest-skills

132 周安装量

32 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-pentest

自动化测试安全

🇨🇳中文介绍

Supabase 安全审计编排器

🔵 推荐：复杂审计请使用计划模式

当您的环境支持计划模式时，强烈建议在开始审计前激活它：

在编排开始时使用 EnterPlanMode 工具

计划模式能更好地组织多阶段审计

它允许用户在执行前验证方法

如果计划模式不可用，则直接执行

计划模式为审计过程提供了更好的可追溯性和用户控制。

🔴 关键要求：必须进行渐进式文件更新

您必须在审计过程中随时写入上下文文件，而不仅仅是在最后。

每次发现后立即写入 .sb-pentest-context.json

每次操作前后记录到 .sb-pentest-audit.log

切勿等到一个阶段或技能完成后再更新文件

如果审计崩溃或中断，所有先前的发现必须已经保存

这不是可选的。未能渐进式写入是一个严重错误。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

⚠️ 强制要求：渐进式上下文文件管理

在开始任何审计之前，您必须：

如果不存在，则创建 .sb-pentest-context.json
如果不存在，则创建 .sb-pentest-audit.log
创建 .sb-pentest-evidence/ 目录结构
使用目标 URL 和时间戳初始化上下文

执行期间 - 随时写入：

每次操作前 → 记录到 .sb-pentest-audit.log
每次发现后 → 立即更新 .sb-pentest-context.json
每次测试后 → 将证据保存到 .sb-pentest-evidence/
不要批量写入 → 每个发现必须在发现时保存
每次技能后验证 → 在继续之前检查所有文件是否已更新

📋 系统性文档要求

在整个审计过程中，必须系统地维护所有跟踪文件。

必需文件（强制）

文件	用途	更新频率
`.sb-pentest-context.json`	集中状态和发现	每次发现后
`.sb-pentest-audit.log`	按时间顺序记录的操作日志	每次操作前后
`.sb-pentest-evidence/timeline.md`	带时间戳的发现叙述	每次重要发现后
`.sb-pentest-evidence/curl-commands.sh`	可复现的测试命令	每次 curl/HTTP 请求后

验证清单（每次阶段转换前）

在进入下一阶段之前，编排器必须验证：

.sb-pentest-context.json 包含当前阶段的所有发现
.sb-pentest-audit.log 记录了所有已执行的操作
证据文件存在于 .sb-pentest-evidence/XX-phase-name/ 中
timeline.md 已更新了任何 P0/P1/P2 发现
curl-commands.sh 包含了所有发出的 HTTP 请求

如果任何文件缺失或不完整，请勿进入下一阶段。

渐进式写入模式

每个技能必须遵循此模式：

1. [日志] 将开始条目写入 audit.log
2. [上下文] 使用 "phase_in_progress" 更新 context.json
3. [操作] 执行测试/扫描
4. [证据] 立即保存证据文件
5. [CURL] 将 curl 命令追加到 curl-commands.sh
6. [时间线] 如果有重要发现，则更新 timeline.md
7. [上下文] 使用结果更新 context.json
8. [日志] 将完成条目写入 audit.log

如果技能或阶段失败：

保存截至故障点为止所有已更新的文件
审计可以从最后一个成功的检查点恢复
上下文文件准确指示审计停止的位置

⚠️ 为什么这很重要：

如果审计被中断、崩溃或超时，截至该点的发现将被保留
长时间运行的技能必须增量保存进度，而不仅仅是在最后
用户可以通过监视日志文件实时监控进度

未能渐进式更新上下文文件是不可接受的。

每个单独的技能都有责任在工作过程中更新这些文件，而不仅仅是在完成时。如果某个技能没有渐进式更新上下文，编排器必须在每次发现后立即更新。

何时使用此技能

对 Supabase 应用程序运行完整的安全评估
在生产前进行内部安全自评估
在提出安全疑虑后审计应用程序
进行定期的安全审查

要审计的应用程序的公共 URL
对目标应用程序进行测试的授权（您必须拥有它或获得明确许可）
可访问目标 URL 的互联网连接

⚠️  需要授权

在继续之前，您必须确认：

1. 我拥有此应用程序，或
2. 我有明确的书面授权来执行安全测试

未经授权的安全测试可能违反法律和服务条款。
输入 "I confirm I am authorized to test this application" 以继续。

编排器按顺序运行这些阶段，并在每个阶段之间进行确认。

📁 提醒：每次阶段后，请验证：

.sb-pentest-context.json 已更新了阶段结果

.sb-pentest-audit.log 有开始和完成条目

证据文件已保存到 .sb-pentest-evidence/XX-phase/

timeline.md 反映了任何重要发现

curl-commands.sh 包含了所有发出的 HTTP 请求

阶段 0：初始化

设置审计环境和证据收集。

阶段前操作（如果支持）：

如果环境支持，使用 EnterPlanMode
这允许用户在执行前验证审计方法
如果计划模式不可用，则直接进行

创建 .sb-pentest-context.json
创建 .sb-pentest-audit.log
创建 .sb-pentest-evidence/ 目录结构
使用头部初始化 curl-commands.sh
使用审计开始时间初始化 timeline.md
将初始化记录到 .sb-pentest-audit.log

调用的技能：

supabase-evidence（初始化）

继续前的验证：

所有 4 个跟踪文件都存在
证据目录结构完整
用户授权已确认

输出： 准备好使用完整的目录结构收集证据

确定目标是否使用 Supabase 并提取基本信息。

调用的技能：

输出： 确认 Supabase 使用情况，识别项目 URL

证据保存到： .sb-pentest-evidence/01-detection/

阶段 2：密钥提取

扫描客户端代码以查找暴露的凭据。

调用的技能：

supabase-extract-url
supabase-extract-anon-key
supabase-extract-service-key
supabase-extract-jwt
supabase-extract-db-string

输出： 所有发现的凭据列表及严重性评估

证据保存到： .sb-pentest-evidence/02-extraction/

阶段 3：API 审计

测试 PostgREST API 暴露情况和 RLS 策略。

调用的技能：

supabase-audit-tables-list
supabase-audit-tables-read
supabase-audit-rls
supabase-audit-rpc

输出： 可访问的表、数据暴露评估、RLS 漏洞

证据保存到： .sb-pentest-evidence/03-api-audit/

阶段 4：存储审计

检查存储桶配置和访问权限。

调用的技能：

supabase-audit-buckets-list
supabase-audit-buckets-read
supabase-audit-buckets-public

输出： 存储桶清单、公共暴露情况、可访问的文件

证据保存到： .sb-pentest-evidence/04-storage-audit/

阶段 5：身份验证审计

分析身份验证配置和潜在弱点。

调用的技能：

supabase-audit-auth-config
supabase-audit-auth-signup
supabase-audit-auth-users
supabase-audit-authenticated ← 新增：创建测试用户（经同意）以检测 IDOR

输出： 身份验证提供者分析、注册限制、枚举风险、已验证与匿名用户对比

证据保存到： .sb-pentest-evidence/05-auth-audit/

⚠️ 注意： supabase-audit-authenticated 将在创建测试用户前请求明确同意。这是可选的，但强烈建议用于检测 IDOR 和跨用户访问漏洞。

阶段 6：实时与函数审计

测试 WebSocket 通道和 Edge Functions。

调用的技能：

supabase-audit-realtime
supabase-audit-functions

输出： 暴露的通道、函数端点、访问控制问题

证据保存到： .sb-pentest-evidence/06-realtime-audit/ 和 .sb-pentest-evidence/07-functions-audit/

阶段 7：报告生成

将所有发现编译成一份全面的报告。

调用的技能：

输出： 包含执行摘要、发现和修复建议的完整 Markdown 报告

使用计划模式的工作流程

当支持计划模式时，推荐的工作流程是：

1. 用户请求审计 → 代理使用 EnterPlanMode
2. 代理初步探索目标（检测 Supabase，提取 URL）
3. 代理将计划写入计划文件，包含：
   - 目标 URL
   - 检测到的 Supabase 配置
   - 建议执行的阶段
   - 估计范围
4. 代理使用 ExitPlanMode → 用户审查并批准
5. 代理执行阶段并系统更新文件
6. 每个阶段后 → 代理确认文件已更新
7. 最终报告生成

计划模式的优点：

用户可以在执行开始前调整范围
更好地了解将要测试的内容
从规划到执行的更清晰的审计轨迹

基本完整审计（使用计划模式）

在 https://myapp.example.com 上运行 Supabase 安全审计

如果可用，使用 EnterPlanMode
提交审计计划供批准
执行并系统更新文件

基本完整审计（不使用计划模式）

在 https://myapp.example.com 上运行 Supabase 安全审计 --no-plan

从阶段 3（API 审计）继续 Supabase 审计

在 https://myapp.example.com 上运行 Supabase 审计，跳过身份验证审计

上下文文件和证据（强制）

⚠️ 关键：更新跟踪文件和收集证据是强制性的。

编排器创建并管理：

文件/目录	用途
`.sb-pentest-context.json`	在阶段之间存储提取的数据
`.sb-pentest-audit.log`	记录所有带时间戳的操作
`.sb-pentest-evidence/`	专业审计的证据目录

编排器在每次审计开始时初始化证据目录：

.sb-pentest-evidence/
├── README.md                    # 证据索引
├── curl-commands.sh             # 所有可复现的 curl 命令
├── timeline.md                  # 按时间顺序的发现
├── 01-detection/                # 检测证据
├── 02-extraction/               # 密钥提取证据
├── 03-api-audit/                # API 审计证据
│   ├── tables/
│   ├── data-samples/
│   ├── rls-tests/
│   └── rpc-tests/
├── 04-storage-audit/            # 存储审计证据
│   ├── buckets/
│   └── public-url-tests/
├── 05-auth-audit/               # 身份验证审计证据
│   ├── signup-tests/
│   └── enumeration-tests/
├── 06-realtime-audit/           # 实时审计证据
├── 07-functions-audit/          # 函数审计证据
└── screenshots/                 # 可选截图

每个技能必须在其工作过程中将证据保存到相应的目录。

每次技能执行后，.sb-pentest-context.json 必须用结果更新
每个操作必须带时间戳记录在 .sb-pentest-audit.log 中
如果文件不存在，必须在审计开始时创建
切勿在不更新上下文文件的情况下完成技能

.sb-pentest-audit.log 中的每个条目必须遵循此格式：

[YYYY-MM-DD HH:MM:SS] [SKILL_NAME] [STATUS] Message

[2025-01-31 14:00:00] [supabase-detect] [START] Starting Supabase detection
[2025-01-31 14:00:05] [supabase-detect] [SUCCESS] Supabase detected
[2025-01-31 14:00:05] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json updated

上下文文件结构

{
  "target_url": "https://myapp.example.com",
  "started_at": "2025-01-31T10:00:00Z",
  "authorization_confirmed": true,
  "supabase": {
    "detected": true,
    "project_url": "https://abc123.supabase.co",
    "anon_key": "eyJ...",
    "service_key_exposed": false
  },
  "phases_completed": ["detection", "extraction"],
  "findings": []
}

编排器实现自适应速率限制：

以正常请求速度开始
如果检测到 HTTP 429（请求过多），则指数级退避
遵守 Supabase 的速率限制头

═══════════════════════════════════════════════════════════
 阶段 2 完成：密钥提取
═══════════════════════════════════════════════════════════

 发现：
 ├── ✅ 找到匿名密钥（预期）
 ├── ❌ P0：服务角色密钥在 main.js:1247 处暴露
 └── ⚠️  P1：检测到 JWT 密钥模式

 继续阶段 3（API 审计）？[Y/n]
═══════════════════════════════════════════════════════════

在非生产时间运行审计以最小化影响
保存上下文文件用于审计跟踪目的
在修复前与您的安全团队一起审查发现
实施修复后重新运行审计以验证

❌ 问题： 审计在阶段 1 停止，显示“未检测到 Supabase” ✅ 解决方案： 应用程序可能使用自定义域。手动提供 Supabase URL：

使用 Supabase URL https://myproject.supabase.co 运行审计

❌ 问题： 审计期间被速率限制 ✅ 解决方案： 编排器会自动调整。如果持续存在，请等待 5 分钟并恢复。

❌ 问题： 上下文文件损坏 ✅ 解决方案： 删除 .sb-pentest-context.json 并重新启动审计。

supabase-help — 所有技能的快速参考
supabase-evidence — 证据收集管理
supabase-report — 从现有上下文生成报告
supabase-report-compare — 与之前的审计进行比较

🇺🇸English

Supabase Security Audit Orchestrator

🔵 RECOMMENDED: USE PLAN MODE FOR COMPLEX AUDITS

When your environment supports Plan Mode , it is strongly recommended to activate it before starting the audit:

Use the EnterPlanMode tool at the start of the orchestration

Plan Mode enables better organization of multi-phase audits

It allows the user to validate the approach before execution

If Plan Mode is not available, proceed directly with execution

Plan Mode provides better traceability and user control over the audit process.

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO , not just at the end.

Write to .sb-pentest-context.json IMMEDIATELY after each discovery

Log to .sb-pentest-audit.log BEFORE and AFTER each action

DO NOT wait until a phase or skill completes to update files

If the audit crashes or is interrupted, all prior findings must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill orchestrates a complete security audit of a Supabase-based application, guiding you through each phase with validation checkpoints.

⚠️ MANDATORY: Progressive Context File Management

BEFORE starting any audit, you MUST:

Create .sb-pentest-context.json if it doesn't exist
Create .sb-pentest-audit.log if it doesn't exist
Create .sb-pentest-evidence/ directory structure
Initialize context with target URL and timestamp

DURING execution - WRITE AS YOU GO:

BEFORE each action → Log to .sb-pentest-audit.log
AFTER each discovery → IMMEDIATELY update .sb-pentest-context.json
AFTER each test → Save evidence to .sb-pentest-evidence/
DO NOT batch writes → Each finding must be saved as it's discovered
Verify after each skill → Check that ALL files were updated before proceeding

📋 SYSTEMATIC DOCUMENTATION REQUIREMENTS

All tracking files MUST be systematically maintained throughout the entire audit.

Required Files (MANDATORY)

File	Purpose	Update Frequency
`.sb-pentest-context.json`	Centralized state and findings	After EVERY discovery
`.sb-pentest-audit.log`	Chronological action log	BEFORE and AFTER every action
`.sb-pentest-evidence/timeline.md`	Timestamped findings narrative	After EVERY significant finding
`.sb-pentest-evidence/curl-commands.sh`	Reproducible test commands	After EVERY curl/HTTP request

Verification Checklist (Before Each Phase Transition)

Before moving to the next phase, the orchestrator MUST verify:

.sb-pentest-context.json contains all discoveries from current phase
.sb-pentest-audit.log has entries for all actions performed
Evidence files exist in .sb-pentest-evidence/XX-phase-name/
timeline.md is updated with any P0/P1/P2 findings
curl-commands.sh contains all HTTP requests made

If any file is missing or incomplete, DO NOT proceed to the next phase.

Progressive Write Pattern

Each skill MUST follow this pattern:

1. [LOG] Write START entry to audit.log
2. [CONTEXT] Update context.json with "phase_in_progress"
3. [ACTION] Perform the test/scan
4. [EVIDENCE] Save evidence file IMMEDIATELY
5. [CURL] Append curl command to curl-commands.sh
6. [TIMELINE] Update timeline.md if significant finding
7. [CONTEXT] Update context.json with results
8. [LOG] Write COMPLETE entry to audit.log

Failure Recovery

If a skill or phase fails:

All files updated up to the failure point are preserved
The audit can be resumed from the last successful checkpoint
Context file indicates exactly where the audit stopped

⚠️ WHY THIS MATTERS:

If the audit is interrupted, crashes, or times out, findings up to that point are preserved
Long-running skills must save progress incrementally, not just at the end
Users can monitor progress in real-time by watching the log file

FAILURE TO UPDATE CONTEXT FILES PROGRESSIVELY IS NOT ACCEPTABLE.

Each individual skill is responsible for updating these files AS IT WORKS , not just at completion. If a skill does not update the context progressively, the orchestrator must do it immediately after each discovery.

When to Use This Skill

Running a complete security assessment on a Supabase application
Performing internal security self-assessment before production
Auditing an application after security concerns are raised
Conducting periodic security reviews

Prerequisites

A public URL of the application to audit
Authorization to test the target application (you must own it or have explicit permission)
Internet access to reach the target URL

Important Security Notice

⚠️  AUTHORIZATION REQUIRED

Before proceeding, you must confirm:

1. I own this application, OR
2. I have explicit written authorization to perform security testing

Unauthorized security testing may violate laws and terms of service.
Type "I confirm I am authorized to test this application" to proceed.

Audit Phases

The orchestrator runs these phases sequentially with confirmation between each.

📁 REMINDER: After EVERY phase, verify that:

.sb-pentest-context.json is updated with phase results

.sb-pentest-audit.log has START and COMPLETE entries

Evidence files are saved to .sb-pentest-evidence/XX-phase/

timeline.md reflects any significant findings

curl-commands.sh contains all HTTP requests made

Phase 0: Initialization

Sets up the audit environment and evidence collection.

Pre-Phase Action (if supported):

UseEnterPlanMode if the environment supports it
This allows the user to validate the audit approach before execution
If Plan Mode is not available, proceed directly

Actions:

Create .sb-pentest-context.json
Create .sb-pentest-audit.log
Create .sb-pentest-evidence/ directory structure
Initialize curl-commands.sh with header
Initialize timeline.md with audit start
Log initialization to .sb-pentest-audit.log

Skills invoked:

supabase-evidence (initialization)

Verification before proceeding:

All 4 tracking files exist
Evidence directory structure is complete
User authorization confirmed

Output: Ready to collect evidence with full directory structure

Phase 1: Detection

Determines if the target uses Supabase and extracts basic information.

Skills invoked:

supabase-detect

Output: Confirmation of Supabase usage, project URL identified

Evidence saved to: .sb-pentest-evidence/01-detection/

Phase 2: Key Extraction

Scans client-side code for exposed credentials.

Skills invoked:

supabase-extract-url
supabase-extract-anon-key
supabase-extract-service-key
supabase-extract-jwt
supabase-extract-db-string

Output: List of all discovered credentials with severity assessment

Evidence saved to: .sb-pentest-evidence/02-extraction/

Phase 3: API Audit

Tests PostgREST API exposure and RLS policies.

Skills invoked:

supabase-audit-tables-list
supabase-audit-tables-read
supabase-audit-rls
supabase-audit-rpc

Output: Tables accessible, data exposure assessment, RLS gaps

Evidence saved to: .sb-pentest-evidence/03-api-audit/

Phase 4: Storage Audit

Checks storage bucket configurations and access.

Skills invoked:

supabase-audit-buckets-list
supabase-audit-buckets-read
supabase-audit-buckets-public

Output: Bucket inventory, public exposure, accessible files

Evidence saved to: .sb-pentest-evidence/04-storage-audit/

Phase 5: Auth Audit

Analyzes authentication configuration and potential weaknesses.

Skills invoked:

supabase-audit-auth-config
supabase-audit-auth-signup
supabase-audit-auth-users
supabase-audit-authenticated ← NEW: Creates test user (with consent) to detect IDOR

Output: Auth provider analysis, signup restrictions, enumeration risks, authenticated vs anonymous comparison

Evidence saved to: .sb-pentest-evidence/05-auth-audit/

⚠️ Note: supabase-audit-authenticated will ask for explicit consent before creating a test user. This is optional but highly recommended to detect IDOR and cross-user access vulnerabilities.

Phase 6: Realtime & Functions Audit

Tests WebSocket channels and Edge Functions.

Skills invoked:

supabase-audit-realtime
supabase-audit-functions

Output: Exposed channels, function endpoints, access control issues

Evidence saved to: .sb-pentest-evidence/06-realtime-audit/ and .sb-pentest-evidence/07-functions-audit/

Phase 7: Report Generation

Compiles all findings into a comprehensive report.

Skills invoked:

supabase-report

Output: Full Markdown report with executive summary, findings, and remediation

Workflow with Plan Mode

When Plan Mode is supported, the recommended workflow is:

1. User requests audit → Agent uses EnterPlanMode
2. Agent explores target superficially (detect Supabase, extract URL)
3. Agent writes plan to plan file with:
   - Target URL
   - Detected Supabase configuration
   - Proposed phases to execute
   - Estimated scope
4. Agent uses ExitPlanMode → User reviews and approves
5. Agent executes phases with systematic file updates
6. After each phase → Agent confirms files are updated
7. Final report generation

Benefits of Plan Mode:

User can adjust scope before execution starts
Better visibility into what will be tested
Clearer audit trail from planning to execution

Usage

Basic Full Audit (with Plan Mode)

Run a Supabase security audit on https://myapp.example.com

The agent SHOULD:

Use EnterPlanMode if available
Present the audit plan for approval
Execute with systematic file updates

Basic Full Audit (without Plan Mode)

Run a Supabase security audit on https://myapp.example.com --no-plan

Resume from Phase

Continue Supabase audit from Phase 3 (API Audit)

Skip Specific Phases

Run Supabase audit on https://myapp.example.com, skip auth audit

Context Files and Evidence (MANDATORY)

⚠️ CRITICAL: Updating tracking files and collecting evidence is MANDATORY.

The orchestrator creates and manages:

File/Directory	Purpose
`.sb-pentest-context.json`	Stores extracted data between phases
`.sb-pentest-audit.log`	Logs all actions with timestamps
`.sb-pentest-evidence/`	Evidence directory for professional audits

Evidence Collection

The orchestrator initializes the evidence directory at the start of every audit:

.sb-pentest-evidence/
├── README.md                    # Evidence index
├── curl-commands.sh             # All reproducible curl commands
├── timeline.md                  # Chronological findings
├── 01-detection/                # Detection evidence
├── 02-extraction/               # Key extraction evidence
├── 03-api-audit/                # API audit evidence
│   ├── tables/
│   ├── data-samples/
│   ├── rls-tests/
│   └── rpc-tests/
├── 04-storage-audit/            # Storage audit evidence
│   ├── buckets/
│   └── public-url-tests/
├── 05-auth-audit/               # Auth audit evidence
│   ├── signup-tests/
│   └── enumeration-tests/
├── 06-realtime-audit/           # Realtime audit evidence
├── 07-functions-audit/          # Functions audit evidence
└── screenshots/                 # Optional screenshots

Each skill MUST save evidence to its respective directory as it works.

Mandatory Update Rules

After each skill execution , .sb-pentest-context.json MUST be updated with results
Every action MUST be logged in .sb-pentest-audit.log with timestamp
If files don't exist , they MUST be created at audit start
Never complete a skill without updating context files

Mandatory Log Format

Each entry in .sb-pentest-audit.log must follow this format:

[YYYY-MM-DD HH:MM:SS] [SKILL_NAME] [STATUS] Message

Example:

[2025-01-31 14:00:00] [supabase-detect] [START] Starting Supabase detection
[2025-01-31 14:00:05] [supabase-detect] [SUCCESS] Supabase detected
[2025-01-31 14:00:05] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json updated

Context File Structure

{
  "target_url": "https://myapp.example.com",
  "started_at": "2025-01-31T10:00:00Z",
  "authorization_confirmed": true,
  "supabase": {
    "detected": true,
    "project_url": "https://abc123.supabase.co",
    "anon_key": "eyJ...",
    "service_key_exposed": false
  },
  "phases_completed": ["detection", "extraction"],
  "findings": []
}

Rate Limiting

The orchestrator implements adaptive rate limiting:

Starts with normal request speed
If HTTP 429 (Too Many Requests) is detected, backs off exponentially
Respects Supabase's rate limit headers

Output Format

After each phase:

═══════════════════════════════════════════════════════════
 PHASE 2 COMPLETE: Key Extraction
═══════════════════════════════════════════════════════════

 Findings:
 ├── ✅ Anon key found (expected)
 ├── ❌ P0: Service role key EXPOSED in main.js:1247
 └── ⚠️  P1: JWT secret pattern detected

 Proceed to Phase 3 (API Audit)? [Y/n]
═══════════════════════════════════════════════════════════

Best Practices

Run audits in non-production hours to minimize impact
Save the context file for audit trail purposes
Review findings with your security team before remediation
Re-run the audit after implementing fixes to verify

Common Issues

❌ Problem: Audit stops at Phase 1 with "Supabase not detected" ✅ Solution: The app may use a custom domain. Manually provide the Supabase URL:

Run audit with Supabase URL https://myproject.supabase.co

❌ Problem: Rate limited during audit ✅ Solution: The orchestrator auto-adjusts. If persistent, wait 5 minutes and resume.

❌ Problem: Context file corrupted ✅ Solution: Delete .sb-pentest-context.json and restart the audit.

Related Skills

supabase-help — Quick reference for all skills
supabase-evidence — Evidence collection management
supabase-report — Generate report from existing context
supabase-report-compare — Compare with previous audits

Weekly Installs

132

Repository

yoanbernabeu/su…t-skills

GitHub Stars

First Seen

Jan 31, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

codex98

opencode97

claude-code94

gemini-cli93

github-copilot87

cursor82

OpenClaw 安全 Linux 云部署指南：私有优先、SSH隧道、Podman容器化

36,400 周安装

Supabase 安全审计编排器 | 自动化渗透测试与渐进式文档管理

🇨🇳中文介绍

Supabase 安全审计编排器

相关 Skills

⚠️ 强制要求：渐进式上下文文件管理

📋 系统性文档要求

必需文件（强制）

验证清单（每次阶段转换前）

渐进式写入模式

故障恢复

何时使用此技能

先决条件

重要安全声明

审计阶段

阶段 0：初始化

阶段 1：检测

阶段 2：密钥提取

阶段 3：API 审计

阶段 4：存储审计

阶段 5：身份验证审计

阶段 6：实时与函数审计

阶段 7：报告生成

使用计划模式的工作流程

用法

基本完整审计（使用计划模式）

基本完整审计（不使用计划模式）

从阶段恢复

跳过特定阶段

上下文文件和证据（强制）

证据收集

强制更新规则

强制日志格式

上下文文件结构

速率限制

输出格式

最佳实践

常见问题

相关技能

🇺🇸English

Supabase Security Audit Orchestrator

⚠️ MANDATORY: Progressive Context File Management

📋 SYSTEMATIC DOCUMENTATION REQUIREMENTS

Required Files (MANDATORY)

Verification Checklist (Before Each Phase Transition)

Progressive Write Pattern

Failure Recovery

When to Use This Skill

Prerequisites

Important Security Notice

Audit Phases

Phase 0: Initialization

Phase 1: Detection

Phase 2: Key Extraction

Phase 3: API Audit

Phase 4: Storage Audit

Phase 5: Auth Audit

Phase 6: Realtime & Functions Audit

Phase 7: Report Generation

Workflow with Plan Mode

Usage

Basic Full Audit (with Plan Mode)

Basic Full Audit (without Plan Mode)

Resume from Phase

Skip Specific Phases

Context Files and Evidence (MANDATORY)

Evidence Collection

Mandatory Update Rules

Mandatory Log Format

Context File Structure

Rate Limiting

Output Format

Best Practices

Common Issues

Related Skills

最新 Skills