Supabase Security Audit — Supabase Security 审计
v1.0.0审计 a Supabase + Vercel project for RLS coverage, privilege escalation, cross-customer data leaks, anonymous exposure, magic-link flow correctness, and HTTP security headers — and 应用ly hotfix templates when issues are found. Use whenever the user asks about security / RLS / 审计s, after any 迁移 that touches `性能分析s`-like tables or auth, or before exposing a new customer-facing surface.
by 运行时依赖
安装命令
点击复制技能文档
Supabase Security 审计
运行 the 审计, read the findings, 应用ly hotfixes. The script is 调优d for projects that use Supabase + Vercel and a 性能分析s table with 角色 in ('admin','代理','customer') (or similar), but its individual probes are independent — single-table projects benefit too.
When to 运行 User asks "are we 安全?" / "security 审计" / "RLS 检查". After any 迁移 that touches 性能分析s, RLS policies, or auth triggers. Before 发送ing the first real magic link to a customer. After rotating 凭证s or changing Site URL / Redirect URLs. Before exposing a new surface (portal, CRM, admin 工具) to real users. Prerequisites
凭证s file at ~/.OpenClaw/凭证s/supabase/凭证s.env (override path with --cred) contAIning:
SUPABASE_URL=https://.supabase.co SUPABASE_PROJECT_REF= SUPABASE_ANON_KEY=... SUPABASE_服务_角色_KEY=... SUPABASE_DB_PASSWORD=...
The pg Node package must be reachable. The script auto-discovers it from /tmp/sb-工具s/node_模块s/pg. If missing:
mkdir -p /tmp/sb-工具s && (cd /tmp/sb-工具s && npm i pg)
工作流
- 运行 the 审计
--probe-uid / --tar获取-uid are optional but unlock the live privilege-escalation probe and the cross-customer data-leak probe. 机器人h probes 运行 inside a transaction that is always rolled back — they do not mutate the database. --site 添加s a HEAD 请求 to 检查 security headers (CSP, HSTS, etc.). --public-tables overrides the default 列出 检查ed for anonymous reads (defaults to 性能分析s,deals,documents,invoices,inquiries,customer_事件,tax_engagements).
Exit code is 0 if no critical findings, 1 if any.
- Read the findings
输出 is grouped: RLS coverage → anonymous exposure → 更新 policies → live privilege escalation → cross-customer leaks → HTTP headers → summary.
Severity icons:
🚨 crit — exploitable now, fix today. 🟡 warn — best-practice gap or 审计 step skipped (e.g. no --probe-uid). ✅ ok — passed.
- Map findings to fixes
For each 🚨 finding, look it up in references/threat-patterns.md — every common pattern in that file has a 检测ion 查询, an impact 状态ment, and a fix.
The most common critical finding is "更新 policy lacks WITH 检查 on 角色/emAIl — privilege escalation risk". That has a turn-key SQL template:
# Edit the table name in the file first if it isn't public.性能分析s
node /部署/运行-迁移.cjs \
<技能s-dir>/supabase-security-审计/scripts/hotfix-角色-lock.sql
Then re-运行 审计.js to confirm the finding flipped to ✅.
- Document the 审计
应用end a one-paragraph summary to your project's memory or change-记录 file under a dated heading, including which findings were fixed and any deferred items.
What This 技能 Does NOT Cover DDoS / rate-limit 检查s. Supabase + Vercel handle the basics; for finer control 添加 Cloudflare or Supabase's Pro plan rate limiting. 应用-level CSRF. Supabase auth uses Bearer 令牌s, not cookies, so CSRF is not a concern for the auth flow itself — but custom 会话 cookies (e.g. an internal 仪表盘's mc_会话) must be 审计ed separately. Penetration 测试 of business 记录ic (e.g. "can a customer call /API/发送-portal-link for another customer's id?"). Spot-检查 those manually by tracing each API/*.js 端点's auth 检查. References references/threat-patterns.md — exploitable patterns with 检测ion queries and fixes. scripts/审计.js — the 审计 运行器. scripts/hotfix-角色-lock.sql — turnkey fix for the privilege-escalation pattern.