Pulls JWTs out of client-side code, cookies, and localStorage references when you're pentesting a Supabase app. It decodes the tokens, flags the really bad stuff like hardcoded service role keys or user access tokens with PII baked in, and distinguishes between expected exposure (anon keys are fine) and actual problems (developer tokens left in production bundles). The progressive logging is aggressive by design, writing findings to context files after each discovery so you don't lose data if Claude times out mid-scan. Most useful right after initial Supabase detection when you want to see what secrets made it into the build. Saves everything to a pentest evidence directory with severity ratings from P0 to P2.
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-extract-jwt