This is a reconnaissance tool that checks whether a website runs on Supabase by scanning for telltale signs like supabase.co domains, the @supabase/supabase-js client library, REST API endpoints, and response headers. It's the first step before running any Supabase security audit since there's no point testing for Supabase vulnerabilities if the app doesn't use it. The skill writes findings to a JSON context file and audit log as it works, not just at the end, which means you won't lose progress if something crashes mid-scan. It handles edge cases like custom domains and self-hosted instances, though detection gets trickier there. Confidence levels range from high (multiple evidence types) to low (might be a false positive).
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-detect