supabase-detect

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Supabase Detection

Supabase 检测

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.
Write to
.sb-pentest-context.json
IMMEDIATELY after each discovery
Log to
.sb-pentest-audit.log
BEFORE and AFTER each action
DO NOT wait until the skill completes to update files

If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.

This skill determines whether a web application uses Supabase as its backend.

🔴 重要提示：需逐步更新文件

你必须逐步写入上下文文件，而不是只在最后统一写入。
每次发现后立即写入
.sb-pentest-context.json
每次操作前后都要记录到
.sb-pentest-audit.log
不要等到技能完成后才更新文件

如果技能崩溃或被中断，所有已有的发现必须已保存
此要求为强制性，未逐步写入属于严重错误。

本技能用于判断Web应用是否使用Supabase作为后端。

When to Use This Skill

何时使用此技能

Starting a security audit on an unknown application
Verifying Supabase usage before running other audit skills
Quickly checking multiple applications for Supabase presence

对未知应用启动安全审计时
在运行其他审计技能前验证是否使用Supabase
快速检查多个应用是否存在Supabase

Prerequisites

前提条件

Target URL must be publicly accessible
Internet connection to fetch and analyze the target

目标URL必须可公开访问
需联网以获取并分析目标内容

Detection Methods

检测方法

The skill uses multiple detection vectors:

本技能使用多种检测向量：

1. Domain Pattern Matching

1. 域名模式匹配

Searches for Supabase-related domains in:

HTML source code
JavaScript bundles
Network requests (via inline scripts)

Patterns detected:

*.supabase.co
*.supabase.com
supabase-cdn.com

在以下位置搜索Supabase相关域名：

HTML源代码
JavaScript包
网络请求（通过内联脚本）

检测到的模式：

*.supabase.co
*.supabase.com
supabase-cdn.com

2. JavaScript Client Detection

2. JavaScript客户端检测

Looks for Supabase client library signatures:

javascript

// Import patterns
import { createClient } from '@supabase/supabase-js'
const { createClient } = require('@supabase/supabase-js')

// Client initialization
supabase.createClient(
createClient('https://
SUPABASE_URL
NEXT_PUBLIC_SUPABASE
VITE_SUPABASE
REACT_APP_SUPABASE

查找Supabase客户端库特征：

javascript

// Import patterns
import { createClient } from '@supabase/supabase-js'
const { createClient } = require('@supabase/supabase-js')

// Client initialization
supabase.createClient(
createClient('https://
SUPABASE_URL
NEXT_PUBLIC_SUPABASE
VITE_SUPABASE
REACT_APP_SUPABASE

3. API Endpoint Detection

3. API端点检测

Checks for characteristic Supabase endpoints:

/rest/v1/
/auth/v1/
/storage/v1/
/realtime/v1/
/functions/v1/

检查典型的Supabase端点：

/rest/v1/
/auth/v1/
/storage/v1/
/realtime/v1/
/functions/v1/

4. Response Header Analysis

4. 响应头分析

Looks for Supabase-specific headers:

x-supabase-*
sb-*

查找Supabase特定的响应头：

x-supabase-*
sb-*

Usage

使用方法

Basic Detection

基础检测

Check if https://myapp.example.com uses Supabase

Check if https://myapp.example.com uses Supabase

Detection with Verbose Output

带详细输出的检测

Detect Supabase on https://myapp.example.com with full details

Detect Supabase on https://myapp.example.com with full details

Output Format

输出格式

Supabase Detected

检测到Supabase

═══════════════════════════════════════════════════════════
 SUPABASE DETECTED
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ✅ Supabase usage confirmed

 Detection Evidence:
 ├── Domain: abc123def.supabase.co (found in main.js)
 ├── Client: @supabase/supabase-js v2.x detected
 ├── Endpoints: /rest/v1/, /auth/v1/, /storage/v1/
 └── Headers: x-supabase-api-version present

 Project Reference: abc123def
 Project URL: https://abc123def.supabase.co

 Context saved to: .sb-pentest-context.json
═══════════════════════════════════════════════════════════

═══════════════════════════════════════════════════════════
 检测到Supabase
═══════════════════════════════════════════════════════════

 目标URL: https://myapp.example.com
 状态: ✅ 已确认使用Supabase

 检测证据:
 ├── 域名: abc123def.supabase.co (在main.js中发现)
 ├── 客户端: 检测到@supabase/supabase-js v2.x
 ├── 端点: /rest/v1/, /auth/v1/, /storage/v1/
 └── 响应头: 存在x-supabase-api-version

 项目标识: abc123def
 项目URL: https://abc123def.supabase.co

 上下文已保存至: .sb-pentest-context.json
═══════════════════════════════════════════════════════════

Supabase Not Detected

未检测到Supabase

═══════════════════════════════════════════════════════════
 DETECTION RESULT
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ❌ Supabase not detected

 Scanned:
 ├── HTML source: No Supabase patterns
 ├── JavaScript bundles: 3 files analyzed, no matches
 ├── Network patterns: No Supabase endpoints
 └── Response headers: No Supabase headers

 Note: The app may use a self-hosted Supabase or custom domain.
       Try providing a known Supabase URL manually if you have one.
═══════════════════════════════════════════════════════════

═══════════════════════════════════════════════════════════
 检测结果
═══════════════════════════════════════════════════════════

 目标URL: https://myapp.example.com
 状态: ❌ 未检测到Supabase

 扫描内容:
 ├── HTML源代码: 无Supabase相关模式
 ├── JavaScript包: 已分析3个文件，无匹配项
 ├── 网络模式: 无Supabase端点
 └── 响应头: 无Supabase相关头

 说明: 该应用可能使用自托管Supabase或自定义域名。
       若已知Supabase URL，可手动提供以重新检测。
═══════════════════════════════════════════════════════════

Context Output

上下文输出

When Supabase is detected, the skill saves to

.sb-pentest-context.json

json

{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "2025-01-31T10:00:00Z",
    "evidence": [
      {
        "type": "domain",
        "value": "abc123def.supabase.co",
        "location": "/static/js/main.js",
        "line": 1247
      },
      {
        "type": "client_library",
        "value": "@supabase/supabase-js",
        "version": "2.x"
      }
    ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

当检测到Supabase时，技能会将内容保存至

.sb-pentest-context.json

：

json

{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "2025-01-31T10:00:00Z",
    "evidence": [
      {
        "type": "domain",
        "value": "abc123def.supabase.co",
        "location": "/static/js/main.js",
        "line": 1247
      },
      {
        "type": "client_library",
        "value": "@supabase/supabase-js",
        "version": "2.x"
      }
    ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

Audit Log Entry

审计日志条目

Each detection is logged to

.sb-pentest-audit.log

[2025-01-31T10:00:00Z] DETECTION_START target=https://myapp.example.com
[2025-01-31T10:00:01Z] FETCH_HTML status=200 size=45KB
[2025-01-31T10:00:02Z] FETCH_JS file=main.js status=200 size=1.2MB
[2025-01-31T10:00:03Z] PATTERN_MATCH type=domain value=abc123def.supabase.co
[2025-01-31T10:00:03Z] DETECTION_COMPLETE result=detected confidence=high

每次检测都会记录到

.sb-pentest-audit.log

：

[2025-01-31T10:00:00Z] DETECTION_START target=https://myapp.example.com
[2025-01-31T10:00:01Z] FETCH_HTML status=200 size=45KB
[2025-01-31T10:00:02Z] FETCH_JS file=main.js status=200 size=1.2MB
[2025-01-31T10:00:03Z] PATTERN_MATCH type=domain value=abc123def.supabase.co
[2025-01-31T10:00:03Z] DETECTION_COMPLETE result=detected confidence=high

Confidence Levels

置信度等级

Level	Criteria
High	Multiple evidence types (domain + client + endpoints)
Medium	Single strong evidence (domain or explicit client init)
Low	Only indirect evidence (generic patterns, possible false positive)

等级	判定标准
高	存在多种类型证据（域名 + 客户端 + 端点）
中	单一强证据（域名或明确的客户端初始化代码）
低	仅间接证据（通用模式，可能存在误报）

Edge Cases

边缘情况

Custom Domains

自定义域名

Some Supabase projects use custom domains (e.g.,

api.mycompany.com

). In this case:

Detect Supabase on https://myapp.com with custom API domain api.mycompany.com

部分Supabase项目使用自定义域名（例如

api.mycompany.com

）。这种情况下：

Detect Supabase on https://myapp.com with custom API domain api.mycompany.com

Self-Hosted Supabase

自托管Supabase

Self-hosted instances won't have

.supabase.co

domains. Look for:

PostgREST patterns (
```
/rest/v1/
```
)
GoTrue auth patterns (
```
/auth/v1/
```
)
Supabase client library in code

自托管实例不会有

.supabase.co

域名。可通过以下特征查找：

PostgREST模式 (
```
/rest/v1/
```
)
GoTrue认证模式 (
```
/auth/v1/
```
)
代码中的Supabase客户端库

Single Page Applications

单页应用

For SPAs with lazy-loaded chunks:

Detect Supabase on https://myapp.com including all JS chunks

对于使用懒加载代码块的SPA：

Detect Supabase on https://myapp.com including all JS chunks

Common Issues

常见问题

❌ Problem: Detection returns false negative on SPA ✅ Solution: The app may lazy-load Supabase. Try interacting with the app first to load all chunks, or provide known patterns.

❌ Problem: Multiple Supabase projects detected ✅ Solution: This can happen with multi-tenant setups. The skill will list all found projects.

❌ Problem: Detection is slow ✅ Solution: Large JS bundles take time to analyze. Use

--quick

mode for faster but less thorough detection:

Quick detect Supabase on https://myapp.com

❌ 问题： SPA检测返回假阴性 ✅ 解决方案： 应用可能懒加载Supabase。可先与应用交互以加载所有代码块，或提供已知模式。

❌ 问题： 检测到多个Supabase项目 ✅ 解决方案： 多租户架构下可能出现此情况，技能会列出所有找到的项目。

❌ 问题： 检测速度慢 ✅ 解决方案： 大型JavaScript包需要更多分析时间。使用

--quick

模式可加快检测速度，但检测深度会降低：

Quick detect Supabase on https://myapp.com

Next Steps

后续步骤

After detection:

Run
```
supabase-extract-url
```
to confirm and extract the project URL
Run
```
supabase-extract-anon-key
```
to find the API key
Or use
```
supabase-pentest
```
for a full guided audit

检测完成后：

运行
```
supabase-extract-url
```
以确认并提取项目URL
运行
```
supabase-extract-anon-key
```
以查找API密钥
或使用
```
supabase-pentest
```
进行完整的引导式审计

MANDATORY: Progressive Context File Updates

强制性要求：逐步更新上下文文件

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

⚠️ 本技能必须在执行过程中逐步更新跟踪文件，而非仅在最后统一更新。

Critical Rule: Write As You Go

核心规则：边执行边写入

DO NOT batch all writes at the end. Instead:

Before starting any action → Log the action to
```
.sb-pentest-audit.log
```
After each discovery → Immediately update
```
.sb-pentest-context.json
```
After each significant step → Log completion to
```
.sb-pentest-audit.log
```

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

不要批量写入所有内容。正确流程：

开始任何操作前 → 将操作记录到
```
.sb-pentest-audit.log
```
每次发现后 → 立即更新
```
.sb-pentest-context.json
```
完成每个重要步骤后 → 将完成状态记录到
```
.sb-pentest-audit.log
```

这样可确保若技能被中断、崩溃或超时，截至该时间点的所有发现都已保存。

Required Actions (Progressive)

需执行的逐步操作

Create/Update
.sb-pentest-context.json
with results:

json

{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "...",
    "evidence": [ ... ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

Create/Log to
.sb-pentest-audit.log
:

[TIMESTAMP] [supabase-detect] [START] Starting Supabase detection
[TIMESTAMP] [supabase-detect] [SUCCESS] Supabase detected with high confidence
[TIMESTAMP] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json created/updated

IMPORTANT: As the first skill in the audit chain, this skill is responsible for creating the context files if they don't exist.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

创建/更新
.sb-pentest-context.json
以保存结果：

json

{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "...",
    "evidence": [ ... ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

创建/记录到
.sb-pentest-audit.log
：

[TIMESTAMP] [supabase-detect] [START] 开始Supabase检测
[TIMESTAMP] [supabase-detect] [SUCCESS] 以高置信度检测到Supabase
[TIMESTAMP] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json已创建/更新

重要提示：作为审计流程中的首个技能，若上下文文件不存在，本技能需负责创建。

未更新上下文文件的情况是不被允许的。

MANDATORY: Evidence Collection

强制性要求：证据收集

📁 Evidence Directory:

.sb-pentest-evidence/01-detection/

📁 证据目录：

.sb-pentest-evidence/01-detection/

Evidence Files to Create

需创建的证据文件

File	Content
`initial-scan.json`	Raw detection results with all evidence
`supabase-endpoints.txt`	List of discovered Supabase endpoints
`client-code-snippets/`	Directory with relevant code excerpts

文件	内容
`initial-scan.json`	包含所有证据的原始检测结果
`supabase-endpoints.txt`	已发现的Supabase端点列表
`client-code-snippets/`	存放相关代码片段的目录

Evidence Format

证据格式

json

{
  "evidence_id": "DET-001",
  "timestamp": "2025-01-31T10:00:00Z",
  "category": "detection",
  "target_url": "https://myapp.example.com",

  "detection_results": {
    "supabase_detected": true,
    "confidence": "high",
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },

  "evidence": [
    {
      "type": "domain_pattern",
      "value": "abc123def.supabase.co",
      "location": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    },
    {
      "type": "client_library",
      "value": "@supabase/supabase-js",
      "version": "2.x"
    }
  ],

  "curl_command": "curl -s 'https://abc123def.supabase.co/rest/v1/' -H 'apikey: [ANON_KEY]'"
}

json

{
  "evidence_id": "DET-001",
  "timestamp": "2025-01-31T10:00:00Z",
  "category": "detection",
  "target_url": "https://myapp.example.com",

  "detection_results": {
    "supabase_detected": true,
    "confidence": "high",
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },

  "evidence": [
    {
      "type": "domain_pattern",
      "value": "abc123def.supabase.co",
      "location": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    },
    {
      "type": "client_library",
      "value": "@supabase/supabase-js",
      "version": "2.x"
    }
  ],

  "curl_command": "curl -s 'https://abc123def.supabase.co/rest/v1/' -H 'apikey: [ANON_KEY]'"
}

Add to curl-commands.sh

添加至curl-commands.sh

bash

undefined

bash

undefined

=== DETECTION ===

=== 检测阶段 ===

Check Supabase API availability

检查Supabase API可用性

curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100

undefined

curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100

undefined

Add to timeline.md

添加至timeline.md

markdown

undefined

markdown

undefined

[TIMESTAMP] - Detection Phase Complete

[时间戳] - 检测阶段完成

Supabase detected with [confidence] confidence
Project: [project_ref]
Evidence:
```
01-detection/initial-scan.json
```

undefined

以[置信度]置信度检测到Supabase
项目: [project_ref]
证据:
```
01-detection/initial-scan.json
```

undefined

supabase-detect

Original

Translation

Supabase Detection

Supabase 检测

When to Use This Skill

何时使用此技能

Prerequisites

前提条件

Detection Methods

检测方法

1. Domain Pattern Matching

1. 域名模式匹配

2. JavaScript Client Detection

2. JavaScript客户端检测

3. API Endpoint Detection

3. API端点检测

4. Response Header Analysis

4. 响应头分析

Usage

使用方法

Basic Detection

基础检测

Detection with Verbose Output

带详细输出的检测

Output Format

输出格式

Supabase Detected

检测到Supabase

Supabase Not Detected

未检测到Supabase

Context Output

上下文输出

Audit Log Entry

审计日志条目

Confidence Levels

置信度等级

Edge Cases

边缘情况

Custom Domains

自定义域名

Self-Hosted Supabase

自托管Supabase

Single Page Applications

单页应用

Common Issues

常见问题

Next Steps

后续步骤

MANDATORY: Progressive Context File Updates

强制性要求：逐步更新上下文文件

Critical Rule: Write As You Go

核心规则：边执行边写入

Required Actions (Progressive)

需执行的逐步操作

MANDATORY: Evidence Collection

强制性要求：证据收集

Evidence Files to Create

需创建的证据文件

Evidence Format

证据格式

Add to curl-commands.sh

添加至curl-commands.sh

=== DETECTION ===

=== 检测阶段 ===

Check Supabase API availability

检查Supabase API可用性

Add to timeline.md

添加至timeline.md

[TIMESTAMP] - Detection Phase Complete

[时间戳] - 检测阶段完成

Related Skills

相关技能