supabase-extract-anon-key

The supabase-extract-anon-key skill is an essential security auditing tool designed to identify and extract anonymous (public) API keys from an application's client-side source code. By analyzing frontend frameworks like React, Next.js, and Vite, this tool helps security practitioners and developers verify that only the intended anon key is exposed, ensuring the project's Row Level Security (RLS) policies are correctly configured. Because the anon key is expected in client applications, its presence is not inherently a vulnerability, but its exposure pattern is a critical baseline for further testing such as API audit, storage bucket enumeration, and IDOR vulnerability assessments.

• Automatically scans common extraction patterns including direct assignments, client initialization snippets, and environment variables like NEXT_PUBLIC_SUPABASE_ANON_KEY or VITE_SUPABASE_ANON_KEY.

• Performs strict validation of the extracted JWT, confirming the project reference, role (anon), and token expiration status.

• Implements mandatory progressive file updates, writing findings immediately to .sb-pentest-context.json and .sb-pentest-audit.log to maintain a reliable audit trail even if the process is interrupted.

• Provides immediate feedback on potential security risks, such as accidental exposure of a service_role key, which would constitute a critical P0 security failure.

• Integrates seamlessly with other Supabase pentest tools, serving as a prerequisite for downstream RLS policy and RPC function testing.

• Ensure the target application is accessible before execution to allow the agent to inspect static files or network traffic.

• This tool is intended for internal, authorized self-assessment; always confirm testing authorization before running against live production environments.

• If an extracted key fails validation, check for obfuscation or runtime fetching patterns that may require additional debugging steps.

• Use the generated .sb-pentest-context.json to pass credentials to subsequent steps in your security audit pipeline.

• Strictly read-only operations ensure that the audit process does not modify or delete live data within the target Supabase project.