This audit checks your Supabase storage for publicly accessible buckets and flags anything that shouldn't be world-readable. It's the kind of thing you'd run before a security review or when you realize that "public" bucket from prototyping is still serving files in production. The scan distinguishes between legitimate public assets like avatars and genuinely dangerous stuff like database backups or .env files with exposed URLs anyone can hit. What's smart here is the progressive logging requirement: it writes findings to context files as it goes, so if the scan crashes halfway through a large storage instance, you don't lose everything. The output is thorough, maybe even verbose, but when it finds a publicly accessible secrets.env file, you'll appreciate the detail.
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-public