Agent-Skills.md

Agent Skills: Supabase Detection

Detect if a web application uses Supabase by analyzing client-side code, network patterns, and API endpoints.

UncategorizedID: yoanbernabeu/supabase-pentest-skills/supabase-detect

Repository

yoanbernabeu/supabase-pentest-skills
yoanbernabeuLicense: NOASSERTION
341

Install this agent skill to your local

pnpm dlx add-skill https://github.com/yoanbernabeu/supabase-pentest-skills/tree/HEAD/skills/detection/supabase-detect

Skill Files

Browse the full folder contents for supabase-detect.

Download Skill

Loading file tree…

skills/detection/supabase-detect/SKILL.md

Skill Metadata

Name
supabase-detect
Description
Detect if a web application uses Supabase by analyzing client-side code, network patterns, and API endpoints.

Supabase Detection

πŸ”΄ CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.

  • Write to .sb-pentest-context.json IMMEDIATELY after each discovery
  • Log to .sb-pentest-audit.log BEFORE and AFTER each action
  • DO NOT wait until the skill completes to update files
  • If the skill crashes or is interrupted, all prior findings must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill determines whether a web application uses Supabase as its backend.

When to Use This Skill

  • Starting a security audit on an unknown application
  • Verifying Supabase usage before running other audit skills
  • Quickly checking multiple applications for Supabase presence

Prerequisites

  • Target URL must be publicly accessible
  • Internet connection to fetch and analyze the target

Detection Methods

The skill uses multiple detection vectors:

1. Domain Pattern Matching

Searches for Supabase-related domains in:

  • HTML source code
  • JavaScript bundles
  • Network requests (via inline scripts)

Patterns detected:

*.supabase.co
*.supabase.com
supabase-cdn.com

2. JavaScript Client Detection

Looks for Supabase client library signatures:

// Import patterns
import { createClient } from '@supabase/supabase-js'
const { createClient } = require('@supabase/supabase-js')

// Client initialization
supabase.createClient(
createClient('https://
SUPABASE_URL
NEXT_PUBLIC_SUPABASE
VITE_SUPABASE
REACT_APP_SUPABASE

3. API Endpoint Detection

Checks for characteristic Supabase endpoints:

/rest/v1/
/auth/v1/
/storage/v1/
/realtime/v1/
/functions/v1/

4. Response Header Analysis

Looks for Supabase-specific headers:

x-supabase-*
sb-*

Usage

Basic Detection

Check if https://myapp.example.com uses Supabase

Detection with Verbose Output

Detect Supabase on https://myapp.example.com with full details

Output Format

Supabase Detected

═══════════════════════════════════════════════════════════
 SUPABASE DETECTED
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: βœ… Supabase usage confirmed

 Detection Evidence:
 β”œβ”€β”€ Domain: abc123def.supabase.co (found in main.js)
 β”œβ”€β”€ Client: @supabase/supabase-js v2.x detected
 β”œβ”€β”€ Endpoints: /rest/v1/, /auth/v1/, /storage/v1/
 └── Headers: x-supabase-api-version present

 Project Reference: abc123def
 Project URL: https://abc123def.supabase.co

 Context saved to: .sb-pentest-context.json
═══════════════════════════════════════════════════════════

Supabase Not Detected

═══════════════════════════════════════════════════════════
 DETECTION RESULT
═══════════════════════════════════════════════════════════

 Target: https://myapp.example.com
 Status: ❌ Supabase not detected

 Scanned:
 β”œβ”€β”€ HTML source: No Supabase patterns
 β”œβ”€β”€ JavaScript bundles: 3 files analyzed, no matches
 β”œβ”€β”€ Network patterns: No Supabase endpoints
 └── Response headers: No Supabase headers

 Note: The app may use a self-hosted Supabase or custom domain.
       Try providing a known Supabase URL manually if you have one.
═══════════════════════════════════════════════════════════

Context Output

When Supabase is detected, the skill saves to .sb-pentest-context.json:

{
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "2025-01-31T10:00:00Z",
    "evidence": [
      {
        "type": "domain",
        "value": "abc123def.supabase.co",
        "location": "/static/js/main.js",
        "line": 1247
      },
      {
        "type": "client_library",
        "value": "@supabase/supabase-js",
        "version": "2.x"
      }
    ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

Audit Log Entry

Each detection is logged to .sb-pentest-audit.log:

[2025-01-31T10:00:00Z] DETECTION_START target=https://myapp.example.com
[2025-01-31T10:00:01Z] FETCH_HTML status=200 size=45KB
[2025-01-31T10:00:02Z] FETCH_JS file=main.js status=200 size=1.2MB
[2025-01-31T10:00:03Z] PATTERN_MATCH type=domain value=abc123def.supabase.co
[2025-01-31T10:00:03Z] DETECTION_COMPLETE result=detected confidence=high

Confidence Levels

| Level | Criteria | |-------|----------| | High | Multiple evidence types (domain + client + endpoints) | | Medium | Single strong evidence (domain or explicit client init) | | Low | Only indirect evidence (generic patterns, possible false positive) |

Edge Cases

Custom Domains

Some Supabase projects use custom domains (e.g., api.mycompany.com). In this case:

Detect Supabase on https://myapp.com with custom API domain api.mycompany.com

Self-Hosted Supabase

Self-hosted instances won't have .supabase.co domains. Look for:

  • PostgREST patterns (/rest/v1/)
  • GoTrue auth patterns (/auth/v1/)
  • Supabase client library in code

Single Page Applications

For SPAs with lazy-loaded chunks:

Detect Supabase on https://myapp.com including all JS chunks

Common Issues

❌ Problem: Detection returns false negative on SPA βœ… Solution: The app may lazy-load Supabase. Try interacting with the app first to load all chunks, or provide known patterns.

❌ Problem: Multiple Supabase projects detected βœ… Solution: This can happen with multi-tenant setups. The skill will list all found projects.

❌ Problem: Detection is slow βœ… Solution: Large JS bundles take time to analyze. Use --quick mode for faster but less thorough detection:

Quick detect Supabase on https://myapp.com

Next Steps

After detection:

  1. Run supabase-extract-url to confirm and extract the project URL
  2. Run supabase-extract-anon-key to find the API key
  3. Or use supabase-pentest for a full guided audit

MANDATORY: Progressive Context File Updates

⚠️ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.

Critical Rule: Write As You Go

DO NOT batch all writes at the end. Instead:

  1. Before starting any action β†’ Log the action to .sb-pentest-audit.log
  2. After each discovery β†’ Immediately update .sb-pentest-context.json
  3. After each significant step β†’ Log completion to .sb-pentest-audit.log

This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.

Required Actions (Progressive)

  1. Create/Update .sb-pentest-context.json with results:

    {
  "target_url": "https://myapp.example.com",
  "detection": {
    "detected": true,
    "confidence": "high",
    "timestamp": "...",
    "evidence": [ ... ]
  },
  "supabase": {
    "project_ref": "abc123def",
    "project_url": "https://abc123def.supabase.co"
  }
}

  2. Create/Log to .sb-pentest-audit.log:

    [TIMESTAMP] [supabase-detect] [START] Starting Supabase detection
[TIMESTAMP] [supabase-detect] [SUCCESS] Supabase detected with high confidence
[TIMESTAMP] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json created/updated

  3. IMPORTANT: As the first skill in the audit chain, this skill is responsible for creating the context files if they don't exist.

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

MANDATORY: Evidence Collection

πŸ“ Evidence Directory: .sb-pentest-evidence/01-detection/

Evidence Files to Create

| File | Content | |------|---------| | initial-scan.json | Raw detection results with all evidence | | supabase-endpoints.txt | List of discovered Supabase endpoints | | client-code-snippets/ | Directory with relevant code excerpts |

Evidence Format

{
  "evidence_id": "DET-001",
  "timestamp": "2025-01-31T10:00:00Z",
  "category": "detection",
  "target_url": "https://myapp.example.com",

  "detection_results": {
    "supabase_detected": true,
    "confidence": "high",
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },

  "evidence": [
    {
      "type": "domain_pattern",
      "value": "abc123def.supabase.co",
      "location": "/static/js/main.js",
      "line": 1247,
      "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'"
    },
    {
      "type": "client_library",
      "value": "@supabase/supabase-js",
      "version": "2.x"
    }
  ],

  "curl_command": "curl -s 'https://abc123def.supabase.co/rest/v1/' -H 'apikey: [ANON_KEY]'"
}

Add to curl-commands.sh

# === DETECTION ===
# Check Supabase API availability
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100

Add to timeline.md

## [TIMESTAMP] - Detection Phase Complete
- Supabase detected with [confidence] confidence
- Project: [project_ref]
- Evidence: `01-detection/initial-scan.json`

Related Skills

  • supabase-extract-url β€” Extract project URL from code
  • supabase-extract-anon-key β€” Find anon key
  • supabase-pentest β€” Full orchestrated audit