11 KiB
11 KiB
SupaRalph Security Skill for QwenClaw
Overview
Name: suparalph-security
Source: https://github.com/vibeforge1111/vibeship-suparalph
Mascot: "I'm in danger!" - Ralph Wiggum
SupaRalph is an open-source Supabase penetration testing and security scanner that actively tests Supabase projects for vulnerabilities by executing real attacks rather than static analysis.
What SupaRalph Does
| Capability | Description |
|---|---|
| Active Testing | Executes real exploits against your Supabase project |
| 277 Attack Vectors | Full coverage across all Supabase attack surfaces |
| Zero Persistence | No credentials or results stored - session only |
| AI-Powered Fixes | Copy findings to Supabase AI for SQL fix generation |
| CI/CD Ready | GitHub Actions integration for automated scans |
| Compliance Mapping | OWASP Top 10, SOC2, GDPR coverage |
Attack Categories (277 Total Vectors)
| Category | Attacks | What It Tests |
|---|---|---|
| RLS | 100+ | Row Level Security bypass, USING(true), missing policies |
| Auth | 43+ | Weak passwords, MFA bypass, JWT manipulation, session attacks |
| API | 39+ | GraphQL introspection, CORS, security headers, credentials |
| Storage | 23+ | Public buckets, path traversal, file type abuse |
| Functions | 15+ | Edge function auth bypass, rate limit bypass |
| Database | 14+ | Direct access, injection, extension abuse |
| Vibecoder | 13+ | Common AI-generated code mistakes |
| Realtime | 13+ | Subscription leaks, channel hijacking |
Installation
Option 1: Run Locally
# Clone the repository
git clone https://github.com/vibeforge1111/vibeship-suparalph.git
cd vibeship-suparalph
# Install dependencies
npm install
# Start development server
npm run dev
Open: http://localhost:5173
Option 2: Demo Mode
Enter demo as the URL to see a simulated scan without connecting to a real project.
Usage with QwenClaw
Basic Security Scan
# Start QwenClaw
qwenclaw start
# Send task to scan Supabase project
qwenclaw send "Use the suparalph-security skill to scan my Supabase project for vulnerabilities"
Interactive Scan
qwenclaw send "Use suparalph-security to:
1. Get my Supabase project URL
2. Run a full security scan with 277 attack vectors
3. Review findings and generate remediation plan
4. Copy critical findings for Supabase AI fix generation"
CI/CD Integration
qwenclaw send "Use suparalph-security skill to set up GitHub Actions for automated security scanning on every push"
Usage Workflow
Step 1: Get Supabase URL
- Go to https://supabase.com/dashboard
- Select your project
- Settings → API
- Copy Project URL
Step 2: Run Security Scan
Via Web UI:
- Open http://localhost:5173
- Paste your Supabase URL
- Optionally add anon key for deeper testing
- Click "BREACH TEST"
- Watch attacks execute in real-time via terminal UI
Via QwenClaw:
qwenclaw send "Run SupaRalph security scan on https://your-project.supabase.co"
Step 3: Review Results
Results show in real-time terminal UI:
- ✅ Passed tests (green)
- ⚠️ Warnings (yellow)
- 🚨 Breached (red)
Step 4: Fix Vulnerabilities
- Click "Copy Findings for AI"
- Open https://supabase.com/dashboard/project/_/sql/new
- Paste findings
- Ask Supabase AI to generate SQL fixes
Integration Patterns
Pattern 1: Pre-Deployment Security Check
qwenclaw send "Before deploying, use suparalph-security to scan the Supabase project and block deployment if critical vulnerabilities found"
Pattern 2: Automated PR Security Review
qwenclaw send "Use suparalph-security to set up automated security scanning on pull requests with comment on findings"
Pattern 3: AI Agent Security Loop
# With Ralph Wiggum Loop + Spark Intelligence
while :; do
qwenclaw send "Use suparalph-security to scan for new vulnerabilities"
qwenclaw send "Fix any critical findings with Supabase AI"
done
Pattern 4: Compliance Reporting
qwenclaw send "Use suparalph-security to generate OWASP Top 10 compliance report for audit"
Report Generation
JSON Report (Machine-Readable)
import { generateJSONReport } from '$lib/engine/reports';
const json = generateJSONReport(report, {
includeEvidence: true,
includeCompliance: true
});
Markdown Report (Documentation)
const md = generateMarkdownReport(report, {
includeCompliance: true,
includeFixes: true
});
HTML Report (Shareable)
const html = generateHTMLReport(report);
CI/CD Setup (GitHub Actions)
Create .github/workflows/suparalph-scan.yml
name: SupaRalph Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run SupaRalph Scan
uses: vibeforge1111/suparalph-action@v1
with:
supabase-url: ${{ secrets.SUPABASE_URL }}
supabase-anon-key: ${{ secrets.SUPABASE_ANON_KEY }}
fail-on-critical: true
generate-report: true
- name: Upload Security Report
uses: actions/upload-artifact@v4
with:
name: suparalph-report
path: ./suparalph-report.html
Required Secrets
| Secret | Description |
|---|---|
SUPABASE_URL |
Your Supabase project URL |
SUPABASE_ANON_KEY |
Your anon/public key |
Compliance Mapping
| Framework | Coverage | Mapped Controls |
|---|---|---|
| OWASP Top 10 2021 | A01-A10 | Full coverage |
| SOC2 | CC6.1, CC6.6, CC6.7 | Access control, security controls |
| GDPR | Articles 32, 33 | Security of processing, breach notification |
Security & Privacy
| Feature | Description |
|---|---|
| Zero Persistence | No credentials or scan results stored |
| Session Only | All data cleared when browser closes |
| No Server Storage | Scans run client-side |
| Open Source | Full code transparency |
| Authorized Testing Only | Only scan projects you own or have permission to test |
Usage in QwenClaw
Basic Scan
Use the suparalph-security skill to scan my Supabase project at https://my-project.supabase.co
Full Security Audit
Use suparalph-security to:
1. Run all 277 attack vectors
2. Generate JSON report with evidence
3. Generate Markdown compliance report for OWASP Top 10
4. Create GitHub issue for each critical finding
Automated Fix Workflow
Use suparalph-security with spark-intelligence to:
1. Scan for vulnerabilities
2. Capture findings in Spark memory
3. Generate pre-tool advisory for future similar issues
4. Copy critical findings to Supabase AI for fixes
Vibecoder Analysis (AI-Generated Code)
Use suparalph-security to scan for Vibecoder vulnerabilities (common AI-generated code mistakes) and provide remediation guidance
Attack Vector Examples
RLS Bypass (Critical)
// Attack: Missing RLS policy
{
id: 'rls-missing-policy',
name: 'Missing RLS Policy',
description: 'Table has no RLS policies configured',
severity: 'critical',
async execute(ctx) {
// Check if RLS is enabled
// Check for policies on all tables
return {
breached: true,
status: 'breached',
summary: 'Table "users" has no RLS policies',
evidence: { table: 'users', policies: [] }
};
}
}
Auth: Weak Password Policy
// Attack: Weak password requirements
{
id: 'auth-weak-password',
name: 'Weak Password Policy',
description: 'Password requirements are below security standards',
severity: 'high',
async execute(ctx) {
// Test minimum password length
// Test complexity requirements
return {
breached: true,
status: 'warning',
summary: 'Minimum password length is 6 (recommended: 12+)',
evidence: { minLength: 6, recommended: 12 }
};
}
}
Vibecoder: AI-Generated Mistake
// Attack: Common AI-generated code vulnerability
{
id: 'vibecoder-hardcoded-secrets',
name: 'Hardcoded Secrets in Code',
description: 'AI-generated code often includes hardcoded API keys',
severity: 'critical',
async execute(ctx) {
// Scan for hardcoded credentials
return {
breached: true,
status: 'breached',
summary: 'Hardcoded API key found in edge function',
evidence: { file: 'send-email.ts', line: 15 }
};
}
}
Best Practices
1. Scan Before Deployment
Always run SupaRalph before deploying to production.
2. Automate with CI/CD
Set up GitHub Actions for automated scans on every push/PR.
3. Fix Critical First
Prioritize critical and high severity findings.
4. Use Supabase AI for Fixes
Copy findings to Supabase SQL Editor and ask AI to generate fixes.
5. Regular Scanning
Schedule weekly or monthly security scans.
6. Combine with Spark Intelligence
Use Spark to capture security patterns and prevent future vulnerabilities.
Integration with Other Skills
With Spark Intelligence
qwenclaw send "Use suparalph-security to scan, then spark-intelligence to capture findings as pre-tool advisories for future development"
Benefits:
- Spark remembers vulnerabilities found
- Pre-tool advisory warns before similar mistakes
- Auto-promotes security best practices to CLAUDE.md
With Ralph Autonomous Agent
qwenclaw send "Use ralph-autonomous-agent with suparalph-security to continuously scan and fix vulnerabilities in a loop"
Loop Pattern:
while :; do
qwenclaw send "Scan with suparalph-security"
qwenclaw send "Fix critical findings"
qwenclaw send "Re-scan to verify fixes"
done
With Frontend-Design
qwenclaw send "Use frontend-design skill to create a security dashboard that displays SupaRalph scan results"
Skill Metadata
name: suparalph-security
version: 1.0.0
category: security
description: Supabase penetration testing with 277 attack vectors,
AI-powered fixes, and CI/CD integration
author: Vibeship (https://github.com/vibeforge1111/vibeship-suparalph)
license: MIT
tags:
- security
- supabase
- penetration-testing
- compliance
- owasp
- ci-cd
- ai-fixes
Resources
- GitHub: https://github.com/vibeforge1111/vibeship-suparalph
- Demo: http://localhost:5173 (run locally) or enter
demofor simulated scan - Supabase Dashboard: https://supabase.com/dashboard
- Supabase AI: https://supabase.com/dashboard/project/_/sql/new
Disclaimer
⚠️ For authorized testing only. Only scan Supabase projects you own or have explicit permission to test. SupaRalph performs real attacks that could affect data. Use responsibly.
SupaRalph: "I'm in danger!" - But your Supabase project doesn't have to be! 🔒✨