This is a red team auditor for your Firestore security rules that actually tries to break them rather than just checking syntax. It runs through a mandatory checklist looking for the classic gotchas: update bypasses where someone creates a valid document then modifies it into something malicious, self-assigned admin roles pulled from user-provided data, missing size limits that enable storage abuse, and field-level security that forgets to check ownership. The scoring is strict, ranging from 1 (data leaks and privilege escalation) to 5 (actually secure), and it returns structured JSON with specific findings and fixes. Honest take: if you're generating Firestore rules with AI or haven't had them reviewed by someone paranoid, run this before you ship.
npx skills add https://github.com/firebase/agent-skills --skill firebase-security-rules-auditor