DiscordSign up
SKILLS.SH

supabase

Use when doing ANY task involving Supabase. Triggers: Supabase products (Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues); client…

INSTALLATION
npx skills add https://github.com/supabase/agent-skills --skill supabase
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$27

When a user reports a SQL-created table is unexpectedly inaccessible, check their Data API settings and whether the roles have been granted access via explicit GRANT SQL. When granting public (anon/authenticated) access, always enable RLS too. See Exposing a Table to the Data API for the full setup workflow.

5. RLS in exposed schemas.

Enable RLS on every table in any exposed schema, which includes public by default. This is critical in Supabase because tables in exposed schemas can be reachable through the Data API when the anon/authenticated roles have access (see Exposing a Table to the Data API). For private schemas, prefer RLS as defense in depth. After enabling RLS, create policies that match the actual access model rather than defaulting every table to the same auth.uid() pattern.

6. Security checklist.

When working on any Supabase task that touches auth, RLS, views, storage, or user data, run through this checklist. These are Supabase-specific security traps that silently create vulnerabilities:

-

Auth and session security

  • **Never use user_metadata claims in JWT-based authorization decisions.** In Supabase, raw_user_meta_data is user-editable and can appear in auth.jwt(), so it is unsafe for RLS policies or any other authorization logic. Store authorization data in raw_app_meta_data / app_metadata instead.
  • Deleting a user does not invalidate existing access tokens. Sign out or revoke sessions first, keep JWT expiry short for sensitive apps, and for strict guarantees validate session_id against auth.sessions on sensitive operations.
  • **If you use app_metadata or auth.jwt() for authorization, remember JWT claims are not always fresh until the user's token is refreshed.**

-

API key and client exposure

  • **Never expose the service_role or secret key in public clients.** Prefer publishable keys for frontend code. Legacy anon keys are only for compatibility. In Next.js, any NEXT_PUBLIC_ env var is sent to the browser.

-

RLS, views, and privileged database code

  • Views bypass RLS by default. In Postgres 15 and above, use CREATE VIEW ... WITH (security_invoker = true). In older versions of Postgres, protect your views by revoking access from the anon and authenticated roles, or by putting them in an unexposed schema.
  • UPDATE requires a SELECT policy. In Postgres RLS, an UPDATE needs to first SELECT the row. Without a SELECT policy, updates silently return 0 rows — no error, just no change.
  • **auth.role() is deprecated — use the TO clause instead.** Supabase has deprecated auth.role() in favour of specifying the target role directly on the policy with TO authenticated or TO anon. Beyond deprecation, auth.role() = 'authenticated' breaks silently when anonymous sign-ins are enabled, because anonymous users carry the authenticated Postgres role and pass the check regardless of whether the user is genuinely signed in.
-- Deprecated (do not use)

create policy "example" on table_name for select

using ( auth.role() = 'authenticated' );
  • **TO authenticated alone is authentication without authorization (BOLA / IDOR).** Using TO authenticated only checks the role — it does not restrict which rows a user can access. The correct pattern combines TO authenticated with an ownership predicate in USING:
create policy "example" on table_name for select

to authenticated

using ( (select auth.uid()) = user_id );
  • **UPDATE policies require both USING and WITH CHECK.** Without WITH CHECK, a user can reassign a row's user_id to another user:
create policy "example" on table_name for update

to authenticated

using ( (select auth.uid()) = user_id )

with check ( (select auth.uid()) = user_id );
  • **SECURITY DEFINER functions bypass RLS.** A SECURITY DEFINER function runs with its creator's privileges — typically a role with bypassrls (e.g., postgres). Never add SECURITY DEFINER to resolve a permission error; it silently removes access control without fixing the underlying cause. Prefer SECURITY INVOKER.
  • **SECURITY DEFINER functions in public are callable by all roles.** Postgres grants EXECUTE to PUBLIC by default for every new function, so any SECURITY DEFINER function in public is a public API endpoint callable by anon and authenticated (which inherit from PUBLIC) without any additional grant. When SECURITY DEFINER is genuinely needed (e.g., bypassing RLS on an internal lookup table), keep the function in a non-exposed schema, always include an auth.uid() check in the function body, and run supabase db advisors after making changes.

-

Storage access control

  • Storage upsert requires INSERT + SELECT + UPDATE. Granting only INSERT allows new uploads but file replacement (upsert) silently fails. You need all three.

For any security concern not covered above, fetch the Supabase product security index: https://supabase.com/docs/guides/security/product-security.md

Supabase CLI

Always discover commands via --help — never guess. The CLI structure changes between versions.

supabase --help                    # All top-level commands

supabase <group> --help            # Subcommands (e.g., supabase db --help)

supabase <group> <command> --help  # Flags for a specific command

Supabase CLI Known gotchas:

  • supabase db query requires CLI v2.79.0+ → use MCP execute_sql or psql as fallback
  • supabase db advisors requires CLI v2.81.3+ → use MCP get_advisors as fallback
  • When you need a new migration SQL file, always create it with supabase migration new <name> first. Never invent a migration filename or rely on memory for the expected format.

Version check and upgrade: Run supabase --version to check. For CLI changelogs and version-specific features, consult the CLI documentation or GitHub releases.

Supabase MCP Server

For setup instructions, server URL, and configuration, see the MCP setup guide.

Troubleshooting connection issues — follow these steps in order:

-

Check if the server is reachable:

curl -so /dev/null -w "%{http_code}" https://mcp.supabase.com/mcp

A 401 is expected (no token) and means the server is up. Timeout or "connection refused" means it may be down.

-

**Check .mcp.json configuration:**

Verify the project root has a valid .mcp.json with the correct server URL. If missing, create one pointing to https://mcp.supabase.com/mcp.

-

Authenticate the MCP server:

If the server is reachable and .mcp.json is correct but tools aren't visible, the user needs to authenticate. The Supabase MCP server uses OAuth 2.1 — tell the user to trigger the auth flow in their agent, complete it in the browser, and reload the session.

Supabase Documentation

Before implementing any Supabase feature, find the relevant documentation. Use these methods in priority order:

  • **MCP search_docs tool** (preferred — returns relevant snippets directly)
  • Fetch docs pages as markdown — any docs page can be fetched by appending .md to the URL path.
  • Web search for Supabase-specific topics when you don't know which page to look at.

Making and Committing Schema Changes

**To make schema changes, use execute_sql (MCP) or supabase db query (CLI).** These run SQL directly on the database without creating migration history entries, so you can iterate freely and generate a clean migration when ready.

Do NOT use apply_migration to change a local database schema — it writes a migration history entry on every call, which means you can't iterate, and supabase db diff / supabase db pull will produce empty or conflicting diffs. If you use it, you'll be stuck with whatever SQL you passed on the first try.

When ready to commit your changes to a migration file:

  • Run advisorssupabase db advisors (CLI v2.81.3+) or MCP get_advisors. Fix any issues.
  • Review the Security Checklist above if your changes involve views, functions, triggers, or storage.
  • Generate the migrationsupabase db pull <descriptive-name> --local --yes
  • Verifysupabase migration list --local

Reference Guides

MUST read when the user reports that this skill gave incorrect guidance or is missing information.

BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card