Supabase Detection
π΄ CRITICAL: PROGRESSIVE FILE UPDATES REQUIRED
You MUST write to context files AS YOU GO, not just at the end.
-
Write to .sb-pentest-context.json IMMEDIATELY after each discovery
-
Log to .sb-pentest-audit.log BEFORE and AFTER each action
-
DO NOT wait until the skill completes to update files
-
If the skill crashes or is interrupted, all prior findings must already be saved
This is not optional. Failure to write progressively is a critical error.
This skill determines whether a web application uses Supabase as its backend.
When to Use This Skill
-
Starting a security audit on an unknown application
-
Verifying Supabase usage before running other audit skills
-
Quickly checking multiple applications for Supabase presence
Prerequisites
-
Target URL must be publicly accessible
-
Internet connection to fetch and analyze the target
Detection Methods
The skill uses multiple detection vectors:
- Domain Pattern Matching
Searches for Supabase-related domains in:
-
HTML source code
-
JavaScript bundles
-
Network requests (via inline scripts)
Patterns detected:
*.supabase.co *.supabase.com supabase-cdn.com
- JavaScript Client Detection
Looks for Supabase client library signatures:
// Import patterns import { createClient } from '@supabase/supabase-js' const { createClient } = require('@supabase/supabase-js')
// Client initialization supabase.createClient( createClient('https:// SUPABASE_URL NEXT_PUBLIC_SUPABASE VITE_SUPABASE REACT_APP_SUPABASE
- API Endpoint Detection
Checks for characteristic Supabase endpoints:
/rest/v1/ /auth/v1/ /storage/v1/ /realtime/v1/ /functions/v1/
- Response Header Analysis
Looks for Supabase-specific headers:
x-supabase-* sb-*
Usage
Basic Detection
Check if https://myapp.example.com uses Supabase
Detection with Verbose Output
Detect Supabase on https://myapp.example.com with full details
Output Format
Supabase Detected
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ SUPABASE DETECTED βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Target: https://myapp.example.com Status: β Supabase usage confirmed
Detection Evidence: βββ Domain: abc123def.supabase.co (found in main.js) βββ Client: @supabase/supabase-js v2.x detected βββ Endpoints: /rest/v1/, /auth/v1/, /storage/v1/ βββ Headers: x-supabase-api-version present
Project Reference: abc123def Project URL: https://abc123def.supabase.co
Context saved to: .sb-pentest-context.json βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Supabase Not Detected
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ DETECTION RESULT βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Target: https://myapp.example.com Status: β Supabase not detected
Scanned: βββ HTML source: No Supabase patterns βββ JavaScript bundles: 3 files analyzed, no matches βββ Network patterns: No Supabase endpoints βββ Response headers: No Supabase headers
Note: The app may use a self-hosted Supabase or custom domain. Try providing a known Supabase URL manually if you have one. βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Context Output
When Supabase is detected, the skill saves to .sb-pentest-context.json :
{ "target_url": "https://myapp.example.com", "detection": { "detected": true, "confidence": "high", "timestamp": "2025-01-31T10:00:00Z", "evidence": [ { "type": "domain", "value": "abc123def.supabase.co", "location": "/static/js/main.js", "line": 1247 }, { "type": "client_library", "value": "@supabase/supabase-js", "version": "2.x" } ] }, "supabase": { "project_ref": "abc123def", "project_url": "https://abc123def.supabase.co" } }
Audit Log Entry
Each detection is logged to .sb-pentest-audit.log :
[2025-01-31T10:00:00Z] DETECTION_START target=https://myapp.example.com [2025-01-31T10:00:01Z] FETCH_HTML status=200 size=45KB [2025-01-31T10:00:02Z] FETCH_JS file=main.js status=200 size=1.2MB [2025-01-31T10:00:03Z] PATTERN_MATCH type=domain value=abc123def.supabase.co [2025-01-31T10:00:03Z] DETECTION_COMPLETE result=detected confidence=high
Confidence Levels
Level Criteria
High Multiple evidence types (domain + client + endpoints)
Medium Single strong evidence (domain or explicit client init)
Low Only indirect evidence (generic patterns, possible false positive)
Edge Cases
Custom Domains
Some Supabase projects use custom domains (e.g., api.mycompany.com ). In this case:
Detect Supabase on https://myapp.com with custom API domain api.mycompany.com
Self-Hosted Supabase
Self-hosted instances won't have .supabase.co domains. Look for:
-
PostgREST patterns (/rest/v1/ )
-
GoTrue auth patterns (/auth/v1/ )
-
Supabase client library in code
Single Page Applications
For SPAs with lazy-loaded chunks:
Detect Supabase on https://myapp.com including all JS chunks
Common Issues
β Problem: Detection returns false negative on SPA β Solution: The app may lazy-load Supabase. Try interacting with the app first to load all chunks, or provide known patterns.
β Problem: Multiple Supabase projects detected β Solution: This can happen with multi-tenant setups. The skill will list all found projects.
β Problem: Detection is slow β Solution: Large JS bundles take time to analyze. Use --quick mode for faster but less thorough detection:
Quick detect Supabase on https://myapp.com
Next Steps
After detection:
-
Run supabase-extract-url to confirm and extract the project URL
-
Run supabase-extract-anon-key to find the API key
-
Or use supabase-pentest for a full guided audit
MANDATORY: Progressive Context File Updates
β οΈ This skill MUST update tracking files PROGRESSIVELY during execution, NOT just at the end.
Critical Rule: Write As You Go
DO NOT batch all writes at the end. Instead:
-
Before starting any action β Log the action to .sb-pentest-audit.log
-
After each discovery β Immediately update .sb-pentest-context.json
-
After each significant step β Log completion to .sb-pentest-audit.log
This ensures that if the skill is interrupted, crashes, or times out, all findings up to that point are preserved.
Required Actions (Progressive)
Create/Update .sb-pentest-context.json with results:
{ "target_url": "https://myapp.example.com", "detection": { "detected": true, "confidence": "high", "timestamp": "...", "evidence": [ ... ] }, "supabase": { "project_ref": "abc123def", "project_url": "https://abc123def.supabase.co" } }
Create/Log to .sb-pentest-audit.log :
[TIMESTAMP] [supabase-detect] [START] Starting Supabase detection [TIMESTAMP] [supabase-detect] [SUCCESS] Supabase detected with high confidence [TIMESTAMP] [supabase-detect] [CONTEXT_UPDATED] .sb-pentest-context.json created/updated
IMPORTANT: As the first skill in the audit chain, this skill is responsible for creating the context files if they don't exist.
FAILURE TO UPDATE CONTEXT FILES IS NOT ACCEPTABLE.
MANDATORY: Evidence Collection
π Evidence Directory: .sb-pentest-evidence/01-detection/
Evidence Files to Create
File Content
initial-scan.json
Raw detection results with all evidence
supabase-endpoints.txt
List of discovered Supabase endpoints
client-code-snippets/
Directory with relevant code excerpts
Evidence Format
{ "evidence_id": "DET-001", "timestamp": "2025-01-31T10:00:00Z", "category": "detection", "target_url": "https://myapp.example.com",
"detection_results": { "supabase_detected": true, "confidence": "high", "project_url": "https://abc123def.supabase.co", "project_ref": "abc123def" },
"evidence": [ { "type": "domain_pattern", "value": "abc123def.supabase.co", "location": "/static/js/main.js", "line": 1247, "context": "const SUPABASE_URL = 'https://abc123def.supabase.co'" }, { "type": "client_library", "value": "@supabase/supabase-js", "version": "2.x" } ],
"curl_command": "curl -s 'https://abc123def.supabase.co/rest/v1/' -H 'apikey: [ANON_KEY]'" }
Add to curl-commands.sh
=== DETECTION ===
Check Supabase API availability
curl -s "$SUPABASE_URL/rest/v1/" -H "apikey: $ANON_KEY" | head -100
Add to timeline.md
[TIMESTAMP] - Detection Phase Complete
- Supabase detected with [confidence] confidence
- Project: [project_ref]
- Evidence:
01-detection/initial-scan.json
Related Skills
-
supabase-extract-url β Extract project URL from code
-
supabase-extract-anon-key β Find anon key
-
supabase-pentest β Full orchestrated audit