Extracts the Supabase anon key from client-side code, which is actually supposed to be there, unlike the service key. It searches JavaScript bundles for JWT patterns, decodes the payload to verify it's really the anon role, and checks if it matches your project URL. The skill writes findings progressively to context files as it goes rather than batching at the end, which matters if you're running a longer pentest chain. Finding this key is just step one. The real question is whether RLS is configured properly, because the anon key is safe only when row level security actually blocks unauthorized access.
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-extract-anon-key