← 返回 Skills 市场
dyagil

Supabase Security Audit

作者 dyagil · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
108
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install dyagil-supabase-security-audit
功能描述
Audit a Supabase + Vercel project for RLS coverage, privilege escalation, cross-customer data leaks, anonymous exposure, magic-link flow correctness, and HTT...
使用说明 (SKILL.md)

Supabase Security Audit

Run the audit, read the findings, apply hotfixes. The script is tuned for projects that use Supabase + Vercel and a profiles table with role in ('admin','agent','customer') (or similar), but its individual probes are independent — single-table projects benefit too.

When to Run

  • User asks "are we secure?" / "security audit" / "RLS check".
  • After any migration that touches profiles, RLS policies, or auth triggers.
  • Before sending the first real magic link to a customer.
  • After rotating credentials or changing Site URL / Redirect URLs.
  • Before exposing a new surface (portal, CRM, admin tool) to real users.

Prerequisites

Credentials file at ~/.openclaw/credentials/supabase/credentials.env (override path with --cred) containing:

SUPABASE_URL=https://\x3Cref>.supabase.co
SUPABASE_PROJECT_REF=\x3Cref>
SUPABASE_ANON_KEY=...
SUPABASE_SERVICE_ROLE_KEY=...
SUPABASE_DB_PASSWORD=...

The pg Node package must be reachable. The script auto-discovers it from /tmp/sb-tools/node_modules/pg. If missing:

mkdir -p /tmp/sb-tools && (cd /tmp/sb-tools && npm i pg)

Workflow

1. Run the audit

node \x3Cskills-dir>/supabase-security-audit/scripts/audit.js \
  --probe-uid \x3Cexisting-customer-uid> \
  --target-uid \x3Canother-customer-uid> \
  --site https://example.com
  • --probe-uid / --target-uid are optional but unlock the live privilege-escalation probe and the cross-customer data-leak probe. Both probes run inside a transaction that is always rolled back — they do not mutate the database.
  • --site adds a HEAD request to check security headers (CSP, HSTS, etc.).
  • --public-tables overrides the default list checked for anonymous reads (defaults to profiles,deals,documents,invoices,inquiries,customer_events,tax_engagements).

Exit code is 0 if no critical findings, 1 if any.

2. Read the findings

Output is grouped: RLS coverage → anonymous exposure → UPDATE policies → live privilege escalation → cross-customer leaks → HTTP headers → summary.

Severity icons:

  • 🚨 crit — exploitable now, fix today.
  • 🟡 warn — best-practice gap or audit step skipped (e.g. no --probe-uid).
  • ok — passed.

3. Map findings to fixes

For each 🚨 finding, look it up in references/threat-patterns.md — every common pattern in that file has a detection query, an impact statement, and a fix.

The most common critical finding is "UPDATE policy lacks WITH CHECK on role/email — privilege escalation risk". That has a turn-key SQL template:

# Edit the table name in the file first if it isn't `public.profiles`
node \x3Cproject>/deploy/run-migration.cjs \
  \x3Cskills-dir>/supabase-security-audit/scripts/hotfix-role-lock.sql

Then re-run audit.js to confirm the finding flipped to ✅.

4. Document the audit

Append a one-paragraph summary to your project's memory or change-log file under a dated heading, including which findings were fixed and any deferred items.

What This Skill Does NOT Cover

  • DDoS / rate-limit checks. Supabase + Vercel handle the basics; for finer control add Cloudflare or Supabase's Pro plan rate limiting.
  • Application-level CSRF. Supabase auth uses Bearer tokens, not cookies, so CSRF is not a concern for the auth flow itself — but custom session cookies (e.g. an internal dashboard's mc_session) must be audited separately.
  • Penetration testing of business logic (e.g. "can a customer call /api/send-portal-link for another customer's id?"). Spot-check those manually by tracing each api/*.js endpoint's auth check.

References

安全使用建议
Review and patch the audit script before using production Supabase credentials. In particular, do not use arbitrary --pooler hosts, re-enable TLS certificate verification, validate UIDs, and require explicit approval before applying the SQL hotfix.
功能分析
Type: OpenClaw Skill Name: dyagil-supabase-security-audit Version: 1.0.0 The bundle is a legitimate security auditing tool for Supabase and Vercel environments. The primary script, `scripts/audit.js`, performs read-only checks and simulated privilege escalation tests within PostgreSQL transactions that are explicitly rolled back to prevent permanent changes. The documentation in `SKILL.md` and `references/threat-patterns.md` is educational, focusing on identifying and fixing common RLS misconfigurations, and the provided SQL hotfix is a defensive measure to prevent unauthorized role mutations.
能力标签
requires-oauth-tokenrequires-sensitive-credentials
能力评估
Purpose & Capability
The Supabase/Vercel audit purpose matches the provided audit script, reference checklist, and SQL hotfix template, but the capability necessarily touches high-privilege database and service-role credentials.
Instruction Scope
The script accepts sensitive runtime inputs such as --pooler and --probe-uid with insufficient validation; a bad pooler can receive the DB password, and probe-uid is interpolated into SQL.
Install Mechanism
There is no install spec, but the instructions ask users to install an unpinned pg package under /tmp and the script dynamically loads pg from /tmp, PG_PATH, or the default module path.
Credentials
The skill reads a local Supabase credential file containing service-role and database credentials while registry metadata declares no primary credential/config path, and the database connection disables TLS certificate verification.
Persistence & Privilege
There is no hidden background persistence, but the skill asks the agent to write an audit summary to project memory/change logs and the optional hotfix creates database policies/triggers.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install dyagil-supabase-security-audit
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /dyagil-supabase-security-audit 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
Slug dyagil-supabase-security-audit
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Supabase Security Audit 是什么?

Audit a Supabase + Vercel project for RLS coverage, privilege escalation, cross-customer data leaks, anonymous exposure, magic-link flow correctness, and HTT... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 108 次。

如何安装 Supabase Security Audit?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install dyagil-supabase-security-audit」即可一键安装,无需额外配置。

Supabase Security Audit 是免费的吗?

是的,Supabase Security Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Supabase Security Audit 支持哪些平台?

Supabase Security Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Supabase Security Audit?

由 dyagil(@dyagil)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论