Tests your Supabase Realtime WebSocket channels for security holes by attempting to subscribe to Postgres Changes, Broadcast, and Presence channels with just an anon key. It progressively logs findings as it goes (critical requirement here), checking if table changes stream when they shouldn't, if broadcast channels like "admin" or "notifications" are publicly accessible, and whether presence data exposes user details. The output is thorough, showing exactly what data is leaking with sample JSON payloads. Use this when you're streaming sensitive data over Realtime and want to verify your RLS policies actually apply to WebSocket subscriptions, not just REST queries. The remediation examples are solid, covering both RLS and the less documented realtime.channels authorization policies.
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-audit-realtime