This is a security check that scans your client-side code for accidentally exposed Supabase service_role keys, which bypass all Row Level Security and grant full database access. It decodes JWTs to check for the service_role claim, searches for common variable names like SUPABASE_SERVICE_KEY, and analyzes JavaScript bundles and source maps. If it finds an exposed key, you get immediate remediation steps: rotate the key in your Supabase dashboard, remove it from client code, and move privileged operations to Edge Functions. Run this before every production deployment. The difference between service_role and anon keys is the difference between a master key and a public API token, so this is genuinely a P0 finding if caught.
npx skills add https://github.com/yoanbernabeu/supabase-pentest-skills --skill supabase-extract-service-key