Supabase 渗透测试技能帮助 | 24项安全审计工具快速参考与使用指南

supabase-help by yoanbernabeu/supabase-pentest-skills

107 周安装量

33 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-help

云服务测试安全

🇨🇳中文介绍

Supabase 渗透测试技能帮助

所有 24 项安全审计技能的快速参考。

何时使用此技能

需要快速概览可用技能
为特定任务寻找合适的技能
想要特定技能的使用示例

快速开始

# 完整引导式审计
/supabase-pentest https://myapp.example.com

# 检查应用是否使用 Supabase
/supabase-detect https://myapp.example.com

# 根据之前的审计生成报告
/supabase-report

所有技能参考

编排

技能	命令	用途
`supabase-pentest`	`/supabase-pentest <url>`	完整的引导式安全审计
`supabase-evidence`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

130,600 周安装

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

129,699 周安装

Azure 配额管理指南：服务限制、容量验证与配额增加方法

107,600 周安装

Azure 升级评估与自动化工具 - 轻松迁移 Functions 计划、托管层级和 SKU

96,200 周安装

技能	命令	用途
`supabase-detect`	`/supabase-detect <url>`	检测 Supabase 使用情况

技能	命令	用途
`supabase-extract-url`	`/supabase-extract-url <url>`	查找 Supabase 项目 URL
`supabase-extract-anon-key`	`/supabase-extract-anon-key`	提取匿名 API 密钥
`supabase-extract-service-key`	`/supabase-extract-service-key`	查找泄露的服务密钥
`supabase-extract-jwt`	`/supabase-extract-jwt`	从代码中提取 JWT
`supabase-extract-db-string`	`/supabase-extract-db-string`	查找数据库连接字符串

技能	命令	用途
`supabase-audit-tables-list`	`/supabase-audit-tables-list`	列出暴露的表
`supabase-audit-tables-read`	`/supabase-audit-tables-read`	读取表数据
`supabase-audit-rls`	`/supabase-audit-rls`	测试 RLS 策略
`supabase-audit-rpc`	`/supabase-audit-rpc`	测试 RPC 函数

技能	命令	用途
`supabase-audit-buckets-list`	`/supabase-audit-buckets-list`	列出存储桶
`supabase-audit-buckets-read`	`/supabase-audit-buckets-read`	读取存储桶文件
`supabase-audit-buckets-public`	`/supabase-audit-buckets-public`	查找公共存储桶

技能	命令	用途
`supabase-audit-auth-config`	`/supabase-audit-auth-config`	检查认证设置
`supabase-audit-auth-signup`	`/supabase-audit-auth-signup`	测试注册访问
`supabase-audit-auth-users`	`/supabase-audit-auth-users`	测试用户枚举
`supabase-audit-authenticated`	`/supabase-audit-authenticated`	创建测试用户以检测 IDOR

技能	命令	用途
`supabase-audit-realtime`	`/supabase-audit-realtime`	测试实时频道
`supabase-audit-functions`	`/supabase-audit-functions`	测试边缘函数

技能	命令	用途
`supabase-report`	`/supabase-report`	生成 Markdown 报告
`supabase-report-compare`	`/supabase-report-compare <old> <new>`	比较两份报告

级别	颜色	描述
P0	🔴	严重：数据暴露、用户数据、权限提升
P1	🟠	高：敏感数据、安全配置错误
P2	🟡	中：轻微暴露、违反最佳实践

1. /supabase-detect https://myapp.com
2. /supabase-extract-anon-key
3. /supabase-audit-rls
4. /supabase-report

1. /supabase-pentest https://myapp.com
   (按照引导提示完成所有阶段)

1. /supabase-detect https://myapp.com
2. /supabase-audit-buckets-list
3. /supabase-audit-buckets-public
4. /supabase-report

1. 将之前的报告复制到 reports/audit-v1.md
2. 运行新审计：/supabase-pentest https://myapp.com
3. /supabase-report-compare reports/audit-v1.md supabase-audit-report.md

创建的文件和目录

文件/目录	描述
`.sb-pentest-context.json`	技能间共享的上下文
`.sb-pentest-audit.log`	带时间戳的操作日志
`.sb-pentest-evidence/`	专业审计的证据目录
`supabase-audit-report.md`	最终安全报告

.sb-pentest-evidence/
├── README.md                 # 证据索引
├── curl-commands.sh          # 可复现的命令
├── timeline.md               # 按时间顺序排列的发现
├── 01-detection/             # 检测证据
├── 02-extraction/            # 密钥提取证据
├── 03-api-audit/             # API 审计证据
├── 04-storage-audit/         # 存储审计证据
├── 05-auth-audit/            # 认证审计证据
├── 06-realtime-audit/        # 实时审计证据
├── 07-functions-audit/       # 函数审计证据
└── screenshots/              # 可选截图

始终先运行检测 — 大多数技能会自动调用它，但显式运行更快
检查上下文文件 — 如果技能行为异常，上下文可能包含过时数据
使用编排器进行完整审计 — 它会自动处理依赖关系
保存带日期的报告 — 将 supabase-audit-report.md 重命名为包含日期以便追踪历史

需要更多帮助？

每个技能都有详细文档 — 运行 /supabase-<skill-name> 获取具体信息
查看仓库根目录的 README
在 GitHub 上提交问题以报告错误或功能请求

🇺🇸English

Supabase Pentest Skills Help

Quick reference for all 24 security audit skills.

When to Use This Skill

Need a quick overview of available skills
Looking for the right skill for a specific task
Want usage examples for a particular skill

Quick Start

# Full guided audit
/supabase-pentest https://myapp.example.com

# Check if app uses Supabase
/supabase-detect https://myapp.example.com

# Generate report from previous audit
/supabase-report

All Skills Reference

Orchestration

Skill	Command	Purpose
`supabase-pentest`	`/supabase-pentest <url>`	Full guided security audit
`supabase-evidence`	`/supabase-evidence`	Initialize evidence collection
`supabase-help`	`/supabase-help`	This help reference

Detection

Skill	Command	Purpose
`supabase-detect`	`/supabase-detect <url>`	Detect Supabase usage

Extraction

Skill	Command	Purpose
`supabase-extract-url`	`/supabase-extract-url <url>`	Find Supabase project URL
`supabase-extract-anon-key`	`/supabase-extract-anon-key`	Extract anon API key
`supabase-extract-service-key`	`/supabase-extract-service-key`	Find leaked service key

API Audit

Skill	Command	Purpose
`supabase-audit-tables-list`	`/supabase-audit-tables-list`	List exposed tables
`supabase-audit-tables-read`	`/supabase-audit-tables-read`	Read table data
`supabase-audit-rls`	`/supabase-audit-rls`	Test RLS policies

Storage Audit

Skill	Command	Purpose
`supabase-audit-buckets-list`	`/supabase-audit-buckets-list`	List storage buckets
`supabase-audit-buckets-read`	`/supabase-audit-buckets-read`	Read bucket files
`supabase-audit-buckets-public`	`/supabase-audit-buckets-public`	Find public buckets

Auth Audit

Skill	Command	Purpose
`supabase-audit-auth-config`	`/supabase-audit-auth-config`	Check auth settings
`supabase-audit-auth-signup`	`/supabase-audit-auth-signup`	Test signup access
`supabase-audit-auth-users`	`/supabase-audit-auth-users`	Test user enumeration

Realtime & Functions

Skill	Command	Purpose
`supabase-audit-realtime`	`/supabase-audit-realtime`	Test Realtime channels
`supabase-audit-functions`	`/supabase-audit-functions`	Test Edge Functions

Reporting

Skill	Command	Purpose
`supabase-report`	`/supabase-report`	Generate Markdown report
`supabase-report-compare`	`/supabase-report-compare <old> <new>`	Compare two reports

Severity Levels

Level	Color	Description
P0	🔴	Critical: data exposure, user data, privilege escalation
P1	🟠	High: sensitive data, security misconfiguration
P2	🟡	Medium: minor exposure, best practice violations

Common Workflows

Quick Security Check

1. /supabase-detect https://myapp.com
2. /supabase-extract-anon-key
3. /supabase-audit-rls
4. /supabase-report

Full Audit

1. /supabase-pentest https://myapp.com
   (Follow guided prompts through all phases)

Storage-Only Audit

1. /supabase-detect https://myapp.com
2. /supabase-audit-buckets-list
3. /supabase-audit-buckets-public
4. /supabase-report

Compare After Fixes

1. Copy previous report to reports/audit-v1.md
2. Run new audit: /supabase-pentest https://myapp.com
3. /supabase-report-compare reports/audit-v1.md supabase-audit-report.md

Files and Directories Created

File/Directory	Description
`.sb-pentest-context.json`	Shared context between skills
`.sb-pentest-audit.log`	Action log with timestamps
`.sb-pentest-evidence/`	Evidence directory for professional audits
`supabase-audit-report.md`	Final security report

Evidence Directory Structure

.sb-pentest-evidence/
├── README.md                 # Evidence index
├── curl-commands.sh          # Reproducible commands
├── timeline.md               # Chronological findings
├── 01-detection/             # Detection evidence
├── 02-extraction/            # Key extraction evidence
├── 03-api-audit/             # API audit evidence
├── 04-storage-audit/         # Storage audit evidence
├── 05-auth-audit/            # Auth audit evidence
├── 06-realtime-audit/        # Realtime audit evidence
├── 07-functions-audit/       # Functions audit evidence
└── screenshots/              # Optional screenshots

Tips

Always run detection first — Most skills auto-invoke it, but it's faster to run explicitly
Check the context file — If a skill behaves unexpectedly, the context may have stale data
Use the orchestrator for full audits — It handles dependencies automatically
Save reports with dates — Rename supabase-audit-report.md to include the date for history

Need More Help?

Each skill has detailed documentation — run /supabase-<skill-name> for specifics
Check the README at the repository root
Open an issue on GitHub for bugs or feature requests

Weekly Installs

107

Repository

yoanbernabeu/su…t-skills

GitHub Stars

First Seen

Jan 31, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

claude-code91

codex81

opencode79

gemini-cli76

github-copilot70

cursor70

Supabase Postgres 最佳实践指南 - 8大类别性能优化规则与SQL示例

70,900 周安装

supabase-extract-jwt

supabase-audit-rpc

supabase-audit-authenticated