Supabase Security Audit Orchestrator

🔵 RECOMMENDED: USE PLAN MODE FOR COMPLEX AUDITS

When your environment supports Plan Mode, it is strongly recommended to activate it before starting the audit:
Use the
EnterPlanMode
tool at the start of the orchestration
Plan Mode enables better organization of multi-phase audits

It allows the user to validate the approach before execution

If Plan Mode is not available, proceed directly with execution
Plan Mode provides better traceability and user control over the audit process.

🔴 CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.
Write to
.sb-pentest-context.json
IMMEDIATELY after each discovery
Log to
.sb-pentest-audit.log
BEFORE and AFTER each action
DO NOT wait until a phase or skill completes to update files

If the audit crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.

This skill orchestrates a complete security audit of a Supabase-based application, guiding you through each phase with validation checkpoints.

⚠️ MANDATORY: Progressive Context File Management

BEFORE starting any audit, you MUST:

Create
```
.sb-pentest-context.json
```
if it doesn't exist
Create
```
.sb-pentest-audit.log
```
if it doesn't exist
Create
```
.sb-pentest-evidence/
```
directory structure
Initialize context with target URL and timestamp

DURING execution - WRITE AS YOU GO:

BEFORE each action → Log to
```
.sb-pentest-audit.log
```
AFTER each discovery → IMMEDIATELY update
```
.sb-pentest-context.json
```
AFTER each test → Save evidence to
```
.sb-pentest-evidence/
```
DO NOT batch writes → Each finding must be saved as it's discovered
Verify after each skill → Check that ALL files were updated before proceeding

📋 SYSTEMATIC DOCUMENTATION REQUIREMENTS

All tracking files MUST be systematically maintained throughout the entire audit.

Required Files (MANDATORY)

File	Purpose	Update Frequency
`.sb-pentest-context.json`	Centralized state and findings	After EVERY discovery
`.sb-pentest-audit.log`	Chronological action log	BEFORE and AFTER every action
`.sb-pentest-evidence/timeline.md`	Timestamped findings narrative	After EVERY significant finding
`.sb-pentest-evidence/curl-commands.sh`	Reproducible test commands	After EVERY curl/HTTP request

Verification Checklist (Before Each Phase Transition)

Before moving to the next phase, the orchestrator MUST verify:

```
.sb-pentest-context.json
```
contains all discoveries from current phase
```
.sb-pentest-audit.log
```
has entries for all actions performed
Evidence files exist in
```
.sb-pentest-evidence/XX-phase-name/
```
```
timeline.md
```
is updated with any P0/P1/P2 findings
```
curl-commands.sh
```
contains all HTTP requests made

If any file is missing or incomplete, DO NOT proceed to the next phase.

Progressive Write Pattern

Each skill MUST follow this pattern:

1. [LOG] Write START entry to audit.log
2. [CONTEXT] Update context.json with "phase_in_progress"
3. [ACTION] Perform the test/scan
4. [EVIDENCE] Save evidence file IMMEDIATELY
5. [CURL] Append curl command to curl-commands.sh
6. [TIMELINE] Update timeline.md if significant finding
7. [CONTEXT] Update context.json with results
8. [LOG] Write COMPLETE entry to audit.log

Failure Recovery

If a skill or phase fails:

All files updated up to the failure point are preserved
The audit can be resumed from the last successful checkpoint
Context file indicates exactly where the audit stopped

⚠️ WHY THIS MATTERS:

If the audit is interrupted, crashes, or times out, findings up to that point are preserved
Long-running skills must save progress incrementally, not just at the end
Users can monitor progress in real-time by watching the log file

FAILURE TO UPDATE CONTEXT FILES PROGRESSIVELY IS NOT ACCEPTABLE.

Each individual skill is responsible for updating these files AS IT WORKS, not just at completion. If a skill does not update the context progressively, the orchestrator must do it immediately after each discovery.

When to Use This Skill

Running a complete security assessment on a Supabase application
Performing internal security self-assessment before production
Auditing an application after security concerns are raised
Conducting periodic security reviews

Prerequisites

A public URL of the application to audit
Authorization to test the target application (you must own it or have explicit permission)
Internet access to reach the target URL

Important Security Notice

⚠️  AUTHORIZATION REQUIRED

Before proceeding, you must confirm:

1. I own this application, OR
2. I have explicit written authorization to perform security testing

Unauthorized security testing may violate laws and terms of service.
Type "I confirm I am authorized to test this application" to proceed.

Audit Phases

The orchestrator runs these phases sequentially with confirmation between each.

📁 REMINDER: After EVERY phase, verify that:
.sb-pentest-context.json
is updated with phase results
.sb-pentest-audit.log
has START and COMPLETE entries
Evidence files are saved to
.sb-pentest-evidence/XX-phase/
timeline.md
reflects any significant findings
curl-commands.sh
contains all HTTP requests made

Phase 0: Initialization

Sets up the audit environment and evidence collection.

Pre-Phase Action (if supported):

Use
EnterPlanMode
if the environment supports it
This allows the user to validate the audit approach before execution
If Plan Mode is not available, proceed directly

Actions:

Create
```
.sb-pentest-context.json
```
Create
```
.sb-pentest-audit.log
```
Create
```
.sb-pentest-evidence/
```
directory structure
Initialize
```
curl-commands.sh
```
with header
Initialize
```
timeline.md
```
with audit start
Log initialization to
```
.sb-pentest-audit.log
```

Skills invoked:

```
supabase-evidence
```
(initialization)

Verification before proceeding:

All 4 tracking files exist
Evidence directory structure is complete
User authorization confirmed

Output: Ready to collect evidence with full directory structure

Phase 1: Detection

Determines if the target uses Supabase and extracts basic information.

Skills invoked:

```
supabase-detect
```

Output: Confirmation of Supabase usage, project URL identified

Evidence saved to:

.sb-pentest-evidence/01-detection/

Phase 2: Key Extraction

Scans client-side code for exposed credentials.

Skills invoked:

```
supabase-extract-url
```
```
supabase-extract-anon-key
```
```
supabase-extract-service-key
```
```
supabase-extract-jwt
```
```
supabase-extract-db-string
```

Output: List of all discovered credentials with severity assessment

Evidence saved to:

.sb-pentest-evidence/02-extraction/

Phase 3: API Audit

Tests PostgREST API exposure and RLS policies.

Skills invoked:

```
supabase-audit-tables-list
```
```
supabase-audit-tables-read
```
```
supabase-audit-rls
```
```
supabase-audit-rpc
```

Output: Tables accessible, data exposure assessment, RLS gaps

Evidence saved to:

.sb-pentest-evidence/03-api-audit/

Phase 4: Storage Audit

Checks storage bucket configurations and access.

Skills invoked:

```
supabase-audit-buckets-list
```
```
supabase-audit-buckets-read
```
```
supabase-audit-buckets-public
```

Output: Bucket inventory, public exposure, accessible files

Evidence saved to:

.sb-pentest-evidence/04-storage-audit/

Phase 5: Auth Audit

Analyzes authentication configuration and potential weaknesses.

Skills invoked:

```
supabase-audit-auth-config
```
```
supabase-audit-auth-signup
```
```
supabase-audit-auth-users
```
```
supabase-audit-authenticated
```
← NEW: Creates test user (with consent) to detect IDOR

Output: Auth provider analysis, signup restrictions, enumeration risks, authenticated vs anonymous comparison

Evidence saved to:

.sb-pentest-evidence/05-auth-audit/

⚠️ Note:
supabase-audit-authenticated
will ask for explicit consent before creating a test user. This is optional but highly recommended to detect IDOR and cross-user access vulnerabilities.

Phase 6: Realtime & Functions Audit

Tests WebSocket channels and Edge Functions.

Skills invoked:

```
supabase-audit-realtime
```
```
supabase-audit-functions
```

Output: Exposed channels, function endpoints, access control issues

Evidence saved to:

.sb-pentest-evidence/06-realtime-audit/

and

.sb-pentest-evidence/07-functions-audit/

Phase 7: Report Generation

Compiles all findings into a comprehensive report.

Skills invoked:

```
supabase-report
```

Output: Full Markdown report with executive summary, findings, and remediation

Workflow with Plan Mode

When Plan Mode is supported, the recommended workflow is:

1. User requests audit → Agent uses EnterPlanMode
2. Agent explores target superficially (detect Supabase, extract URL)
3. Agent writes plan to plan file with:
   - Target URL
   - Detected Supabase configuration
   - Proposed phases to execute
   - Estimated scope
4. Agent uses ExitPlanMode → User reviews and approves
5. Agent executes phases with systematic file updates
6. After each phase → Agent confirms files are updated
7. Final report generation

Benefits of Plan Mode:

User can adjust scope before execution starts
Better visibility into what will be tested
Clearer audit trail from planning to execution

Usage

Basic Full Audit (with Plan Mode)

Run a Supabase security audit on https://myapp.example.com

The agent SHOULD:

Use
```
EnterPlanMode
```
if available
Present the audit plan for approval
Execute with systematic file updates

Basic Full Audit (without Plan Mode)

Run a Supabase security audit on https://myapp.example.com --no-plan

Resume from Phase

Continue Supabase audit from Phase 3 (API Audit)

Skip Specific Phases

Run Supabase audit on https://myapp.example.com, skip auth audit

Context Files and Evidence (MANDATORY)

⚠️ CRITICAL: Updating tracking files and collecting evidence is MANDATORY.

The orchestrator creates and manages:

File/Directory	Purpose
`.sb-pentest-context.json`	Stores extracted data between phases
`.sb-pentest-audit.log`	Logs all actions with timestamps
`.sb-pentest-evidence/`	Evidence directory for professional audits

Evidence Collection

The orchestrator initializes the evidence directory at the start of every audit:

.sb-pentest-evidence/
├── README.md                    # Evidence index
├── curl-commands.sh             # All reproducible curl commands
├── timeline.md                  # Chronological findings
├── 01-detection/                # Detection evidence
├── 02-extraction/               # Key extraction evidence
├── 03-api-audit/                # API audit evidence
│   ├── tables/
│   ├── data-samples/
│   ├── rls-tests/
│   └── rpc-tests/
├── 04-storage-audit/            # Storage audit evidence
│   ├── buckets/
│   └── public-url-tests/
├── 05-auth-audit/               # Auth audit evidence
│   ├── signup-tests/
│   └── enumeration-tests/
├── 06-realtime-audit/           # Realtime audit evidence
├── 07-functions-audit/          # Functions audit evidence
└── screenshots/                 # Optional screenshots

Each skill MUST save evidence to its respective directory as it works.

Mandatory Update Rules

After each skill execution,
```
.sb-pentest-context.json
```
MUST be updated with results
Every action MUST be logged in
```
.sb-pentest-audit.log
```
with timestamp
If files don't exist, they MUST be created at audit start
Never complete a skill without updating context files

Mandatory Log Format

Each entry in

.sb-pentest-audit.log

must follow this format:

[YYYY-MM-DD HH:MM:SS] [SKILL_NAME] [STATUS] Message

Example:

[2025-01-31 14:00:00] [supabase-detect] [START] Starting Supabase detection
[2025-01-31 14:00:05] [supabase-detect] [SUCCESS] Supabase detected
[2025-01-31 14:00:05] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json updated

Context File Structure

json

{
  "target_url": "https://myapp.example.com",
  "started_at": "2025-01-31T10:00:00Z",
  "authorization_confirmed": true,
  "supabase": {
    "detected": true,
    "project_url": "https://abc123.supabase.co",
    "anon_key": "eyJ...",
    "service_key_exposed": false
  },
  "phases_completed": ["detection", "extraction"],
  "findings": []
}

Rate Limiting

The orchestrator implements adaptive rate limiting:

Starts with normal request speed
If HTTP 429 (Too Many Requests) is detected, backs off exponentially
Respects Supabase's rate limit headers

Output Format

After each phase:

═══════════════════════════════════════════════════════════
 PHASE 2 COMPLETE: Key Extraction
═══════════════════════════════════════════════════════════

 Findings:
 ├── ✅ Anon key found (expected)
 ├── ❌ P0: Service role key EXPOSED in main.js:1247
 └── ⚠️  P1: JWT secret pattern detected

 Proceed to Phase 3 (API Audit)? [Y/n]
═══════════════════════════════════════════════════════════

Best Practices

Run audits in non-production hours to minimize impact
Save the context file for audit trail purposes
Review findings with your security team before remediation
Re-run the audit after implementing fixes to verify

Common Issues

❌ Problem: Audit stops at Phase 1 with "Supabase not detected" ✅ Solution: The app may use a custom domain. Manually provide the Supabase URL:

Run audit with Supabase URL https://myproject.supabase.co

❌ Problem: Rate limited during audit ✅ Solution: The orchestrator auto-adjusts. If persistent, wait 5 minutes and resume.

❌ Problem: Context file corrupted ✅ Solution: Delete

.sb-pentest-context.json

and restart the audit.

Related Skills

```
supabase-help
```
— Quick reference for all skills
```
supabase-evidence
```
— Evidence collection management
```
supabase-report
```
— Generate report from existing context
```
supabase-report-compare
```
— Compare with previous audits

supabase-pentest

NPX Install

Tags

SKILL.md Content

Supabase Security Audit Orchestrator

⚠️ MANDATORY: Progressive Context File Management

📋 SYSTEMATIC DOCUMENTATION REQUIREMENTS

Required Files (MANDATORY)

Verification Checklist (Before Each Phase Transition)

Progressive Write Pattern

Failure Recovery

When to Use This Skill

Prerequisites

Important Security Notice

Audit Phases

Phase 0: Initialization

Phase 1: Detection

Phase 2: Key Extraction

Phase 3: API Audit

Phase 4: Storage Audit

Phase 5: Auth Audit

Phase 6: Realtime & Functions Audit

Phase 7: Report Generation

Workflow with Plan Mode

Usage

Basic Full Audit (with Plan Mode)

Basic Full Audit (without Plan Mode)

Resume from Phase

Skip Specific Phases

Context Files and Evidence (MANDATORY)

Evidence Collection

Mandatory Update Rules

Mandatory Log Format

Context File Structure

Rate Limiting

Output Format

Best Practices

Common Issues

Related Skills