This one hits the Supabase PostgREST OpenAPI endpoint to enumerate every table exposed through your API, which is your actual attack surface. It classifies them by risk (financial data, PII, public content) and shows columns, primary keys, and foreign key relationships. Use it at the start of any security audit before you test RLS policies or try reading data. The output is pretty thorough, showing you not just what's in the schema but also probing for hidden tables that exist but aren't advertised. One thing to note is the aggressive emphasis on progressive file writing, which makes sense if you're auditing dozens of tables and don't want to lose findings mid-run.
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-audit-tables-list