Tests whether you can actually read files from your Supabase storage buckets using the anon key, not just whether the buckets exist. Crawls through each bucket attempting to list files, grab metadata, and download samples, then flags anything that looks sensitive (database backups, .env files, invoices, IDs) sitting in public buckets. The output gets pretty alarming if you've got secrets or PII exposed. Worth running this after the initial bucket enumeration to see what an unauthenticated user could pull down. It writes findings progressively to avoid losing results mid-scan, which matters when you're testing dozens of buckets.
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-audit-buckets-read