Agent-Skills.md

Agent Skills: Security Report Generator

Generate a comprehensive Markdown security audit report with executive summary, findings, and remediation guidance.

UncategorizedID: yoanbernabeu/supabase-pentest-skills/supabase-report

Repository

yoanbernabeu/supabase-pentest-skills
yoanbernabeuLicense: NOASSERTION
341

Install this agent skill to your local

pnpm dlx add-skill https://github.com/yoanbernabeu/supabase-pentest-skills/tree/HEAD/skills/report/supabase-report

Skill Files

Browse the full folder contents for supabase-report.

Download Skill

Loading file tree…

skills/report/supabase-report/SKILL.md

Skill Metadata

Name
supabase-report
Description
Generate a comprehensive Markdown security audit report with executive summary, findings, and remediation guidance.

Security Report Generator

πŸ”΄ CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED

You MUST write to context files AS YOU GO, not just at the end.

  • Write to .sb-pentest-audit.log IMMEDIATELY as you process each section
  • Update .sb-pentest-context.json with report metadata progressively
  • DO NOT wait until the entire report is generated to update files
  • If the skill crashes or is interrupted, the partial progress must already be saved

This is not optional. Failure to write progressively is a critical error.

This skill generates a comprehensive Markdown security audit report from all collected findings.

When to Use This Skill

  • After completing security audit phases
  • To document findings for stakeholders
  • To create actionable remediation plans
  • For compliance and audit trail purposes

Prerequisites

  • Audit phases completed (context file populated)
  • Findings collected in .sb-pentest-context.json

Report Structure

The generated report includes:

  1. Executive Summary β€” High-level overview for management
  2. Security Score β€” Quantified risk assessment
  3. Critical Findings (P0) β€” Immediate action required
  4. High Findings (P1) β€” Address soon
  5. Medium Findings (P2) β€” Plan to address
  6. Detailed Analysis β€” Per-component breakdown
  7. Remediation Plan β€” Prioritized action items
  8. Appendix β€” Technical details, methodology

Usage

Generate Report

Generate security report from audit findings

Custom Report Name

Generate report as security-audit-2025-01.md

Specific Sections

Generate executive summary only

Output Format

The skill generates supabase-audit-report.md:

# Supabase Security Audit Report

**Target:** https://myapp.example.com
**Project:** abc123def.supabase.co
**Date:** January 31, 2025
**Auditor:** Internal Security Team

---

## Executive Summary

### Overview

This security audit identified **12 vulnerabilities** across the Supabase implementation, including **3 critical (P0)** issues requiring immediate attention.

### Key Findings

| Severity | Count | Status |
|----------|-------|--------|
| πŸ”΄ P0 (Critical) | 3 | Immediate action required |
| 🟠 P1 (High) | 4 | Address within 7 days |
| 🟑 P2 (Medium) | 5 | Address within 30 days |

### Security Score

**Score: 35/100 (Grade: D)**

The application has significant security gaps that expose user data and allow privilege escalation. Critical issues must be addressed before the application can be considered secure.

### Most Critical Issues

1. **Service Role Key Exposed** β€” Full database access possible
2. **Database Backups Public** β€” All data downloadable
3. **Admin Function No Auth** β€” Any user can access admin features

### Recommended Actions

1. ⚑ **Immediate (Today):**
   - Rotate service role key
   - Make backup bucket private
   - Add admin role verification

2. πŸ”œ **This Week:**
   - Enable RLS on all tables
   - Enable email confirmation
   - Fix IDOR in Edge Functions

3. πŸ“… **This Month:**
   - Strengthen password policy
   - Restrict CORS origins
   - Add rate limiting to functions

---

## Critical Findings (P0)

### P0-001: Service Role Key Exposed in Client Code

**Severity:** πŸ”΄ Critical
**Component:** Key Management
**CVSS:** 9.8 (Critical)

#### Description

The Supabase service_role key was found in client-side JavaScript code. This key bypasses all Row Level Security policies and provides full database access.

#### Location

File: /static/js/admin.chunk.js Line: 89 Code: const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiI...'


#### Impact

- Full read/write access to all database tables
- Bypass of all RLS policies
- Access to auth.users table (all user data)
- Ability to delete or modify any data

#### Proof of Concept

```bash
curl 'https://abc123def.supabase.co/rest/v1/users' \
  -H 'apikey: [service_role_key]' \
  -H 'Authorization: Bearer [service_role_key]'

# Returns ALL users with full data

Remediation

Immediate:

  1. Rotate the service role key in Supabase Dashboard
    • Settings β†’ API β†’ Regenerate service_role key
  2. Remove the key from client code
  3. Redeploy the application

Long-term:

// Move privileged operations to Edge Functions
// supabase/functions/admin-action/index.ts

import { createClient } from '@supabase/supabase-js'

Deno.serve(async (req) => {
  // Service key only on server
  const supabase = createClient(
    Deno.env.get('SUPABASE_URL')!,
    Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
  )

  // Verify caller is admin before proceeding
  // ...
})

Documentation:

P0-002: Database Backups Publicly Accessible

Severity: πŸ”΄ Critical Component: Storage CVSS: 9.1 (Critical)

Description

The storage bucket named "backups" is configured as public, exposing database dumps, user exports, and environment secrets.

Exposed Files

| File | Size | Content | |------|------|---------| | db-backup-2025-01-30.sql | 125MB | Full database dump | | users-export.csv | 2.3MB | All user data with PII | | secrets.env | 1KB | API keys and passwords |

Impact

  • Complete data breach (all database content)
  • Exposed credentials for third-party services
  • User PII exposed (emails, names, etc.)

Remediation

Immediate:

-- Make bucket private
UPDATE storage.buckets
SET public = false
WHERE name = 'backups';

-- Delete or move files
-- Consider incident response procedures

Credential Rotation:

  • Stripe API keys
  • Database password
  • JWT secret
  • Any other keys in secrets.env

P0-003: Admin Edge Function Privilege Escalation

Severity: πŸ”΄ Critical Component: Edge Functions CVSS: 8.8 (High)

Description

The /functions/v1/admin-panel Edge Function is accessible to any authenticated user without role verification.

[... additional P0 findings ...]

High Findings (P1)

P1-001: Email Confirmation Disabled

Severity: 🟠 High Component: Authentication

[... P1 findings ...]

Medium Findings (P2)

P2-001: Weak Password Policy

Severity: 🟑 Medium Component: Authentication

[... P2 findings ...]

Detailed Analysis by Component

API Security

| Table | RLS | Access Level | Status | |-------|-----|--------------|--------| | users | ❌ | Full read | πŸ”΄ P0 | | orders | βœ… | None | βœ… | | posts | βœ… | Published only | βœ… |

Storage Security

| Bucket | Public | Sensitive Files | Status | |--------|--------|-----------------|--------| | avatars | Yes | No | βœ… | | backups | Yes | Yes (45 files) | πŸ”΄ P0 |

Authentication

| Setting | Current | Recommended | Status | |---------|---------|-------------|--------| | Email confirm | Disabled | Enabled | 🟠 P1 | | Password min | 6 | 8+ | 🟑 P2 |

Remediation Plan

Phase 1: Critical (Immediate)

| ID | Action | Owner | Deadline | |----|--------|-------|----------| | P0-001 | Rotate service key | DevOps | Today | | P0-002 | Make backups private | DevOps | Today | | P0-003 | Add admin role check | Backend | Today |

Phase 2: High Priority (This Week)

| ID | Action | Owner | Deadline | |----|--------|-------|----------| | P1-001 | Enable email confirmation | Backend | 3 days | | P1-002 | Fix IDOR in get-user-data | Backend | 3 days |

Phase 3: Medium Priority (This Month)

| ID | Action | Owner | Deadline | |----|--------|-------|----------| | P2-001 | Strengthen password policy | Backend | 14 days | | P2-002 | Restrict CORS origins | DevOps | 14 days |

Appendix

A. Methodology

This audit was performed using the Supabase Pentest Skills toolkit, which includes:

  • Passive reconnaissance of client-side code
  • API endpoint testing with anon and service keys
  • Storage bucket enumeration and access testing
  • Authentication flow analysis
  • Real-time channel subscription testing

B. Tools Used

  • supabase-pentest-skills v1.0.0
  • curl for API testing
  • Browser DevTools for client code analysis

C. Audit Scope

  • Target URL: https://myapp.example.com
  • Supabase Project: abc123def
  • Components tested: API, Storage, Auth, Realtime, Edge Functions
  • Exclusions: None

D. Audit Log

Full audit log available in .sb-pentest-audit.log

Report generated by supabase-pentest-skills Audit completed: January 31, 2025 at 15:00 UTC


## Score Calculation

The security score is calculated based on:

| Factor | Weight | Calculation |
|--------|--------|-------------|
| P0 findings | -25 per issue | Critical vulnerabilities |
| P1 findings | -10 per issue | High severity issues |
| P2 findings | -5 per issue | Medium severity issues |
| RLS coverage | +10 if 100% | All tables have RLS |
| Auth hardening | +10 | Email confirm, strong passwords |
| Base score | 100 | Starting point |

### Grade Scale

| Score | Grade | Description |
|-------|-------|-------------|
| 90-100 | A | Excellent security posture |
| 80-89 | B | Good, minor improvements needed |
| 70-79 | C | Acceptable, address issues |
| 60-69 | D | Poor, significant issues |
| 0-59 | F | Critical, immediate action needed |

## Context Input

The report generator reads from `.sb-pentest-context.json`:

```json
{
  "target_url": "https://myapp.example.com",
  "supabase": {
    "project_url": "https://abc123def.supabase.co",
    "project_ref": "abc123def"
  },
  "findings": [
    {
      "id": "P0-001",
      "severity": "P0",
      "component": "keys",
      "title": "Service Role Key Exposed",
      "description": "...",
      "location": "...",
      "remediation": "..."
    }
  ],
  "audit_completed": "2025-01-31T15:00:00Z"
}

Report Customization

Include/Exclude Sections

Generate report without appendix
Generate report with executive summary only

Different Formats

Generate report in JSON format
Generate report summary as HTML

MANDATORY: Context File Dependency

⚠️ This skill REQUIRES properly populated tracking files.

Prerequisites

Before generating a report, ensure:

  1. .sb-pentest-context.json exists and contains findings from audit skills
  2. .sb-pentest-audit.log exists with timestamped actions
  3. All relevant audit skills have updated these files

If Context Files Are Missing

If context files are missing or empty:

  1. DO NOT generate an empty report
  2. Inform the user that audit skills must be run first
  3. Recommend running supabase-pentest for a complete audit

Report Generation Output

After generating the report, this skill MUST:

  1. Log to .sb-pentest-audit.log:

    [TIMESTAMP] [supabase-report] [START] Generating security report
[TIMESTAMP] [supabase-report] [SUCCESS] Report generated: supabase-audit-report.md
[TIMESTAMP] [supabase-report] [CONTEXT_UPDATED] Report generation logged

  2. Update .sb-pentest-context.json with report metadata:

    {
  "report": {
    "generated_at": "...",
    "filename": "supabase-audit-report.md",
    "findings_count": { "p0": 3, "p1": 4, "p2": 5 }
  }
}

FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.

Related Skills

  • supabase-report-compare β€” Compare with previous reports
  • supabase-pentest β€” Run full audit first
  • supabase-help β€” List all available skills