Summary
This takes a red team approach to auditing Firestore security rules, specifically looking for the kinds of bypasses that actually happen in production. It checks for the classic create/update split where users bootstrap valid documents then mutate them into privileged states, sniffs out rules that trust client-provided role fields, and flags missing size limits that let attackers stuff documents until you hit quota. The field-level versus identity-level distinction is smart: it catches rules that restrict which fields change but forget to check who's changing them. If you're shipping anything with user-generated Firestore data, running this before launch will save you from the "wait, users can just set isAdmin to true?" postmortem.
Install to Claude Code
npx -y skills add firebase/agent-skills --skill firestore-security-rules-auditor --agent claude-codeInstalls into .claude/skills of the current project.
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Files
SKILL.md
Select a file.
Featured
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.
Try For Free →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →First SeenApr 16, 2026
