supabase-owasp-auditlisted

# Supabase OWASP Security Audit This skill turns a connected Supabase project plus a repository into a precise, OWASP-aligned security audit. The deliverable is a layered, visual report presented in the chat first, followed by two optional Markdown files. The goal is an analysis any reader can follow — technical or not — backed by evidence from both the code and the live database. ## What makes this audit trustworthy - **Two sources, cross-checked.** Static code review finds intent (hardcoded secrets, missing auth, unsigned webhooks); the live database shows reality (which role can actually read which table right now). A finding is strongest when both agree. Migrations are cumulative and can lie about the final state — always confirm against the live database. - **Latest OWASP, fetched at run time.** Do not assume the edition from memory. The current edition is OWASP Top 10:2025; still verify (see Phase 0). - **Evidence over assertion.** Every finding cites the file/line or the exact query result behind it. - **Honest scoring.** A transparent rubric (`references/scoring.md`), never a number pulled from thin air. ## Inputs & prerequisites Confirm these with the user before starting. The first two are mandatory; the rest sharpen accuracy and prevent over/under-stating severity. **Required** 1. **Supabase connected to Claude** (MCP). The skill needs `get_advisors`, `execute_sql`, and `list_tables`. Confirm the exact `project_id` and that it is the **production**