This audits PostgreSQL functions exposed through Supabase's RPC endpoint, looking for three main problems: SECURITY DEFINER functions that bypass row-level security, missing auth.uid() checks that let anyone call admin functions, and SQL injection vulnerabilities from text parameters. It tests each function progressively and writes findings to context files as it goes, not at the end. The output shows you exactly which functions are dangerous and gives you the SQL to fix them. Use this after you've done a tables audit to find privilege escalation paths hidden in your database functions. The skill is paranoid about SECURITY DEFINER and anything that accepts raw text input, which is the right instinct.
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-audit-rpc