npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@perufitlife/supabase-security-mcp

v0.3.0

Published

MCP server for Supabase security: audit (with active anon-key probe that proves leaks live), dry-run fixes, and apply remediations with rollback. The only auditor that closes the loop in your AI agent.

Downloads

47

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

renzom13renzom13

Keywords

mcpsupabasesecurityrlsauditremediationclaudecursor

Readme

supabase-security-mcp

The only Supabase security tool that closes the loop in your AI agent. Audit, preview the fix, and apply it — without leaving Claude / Cursor / Cline.

You: audit my supabase project rkmrsefraqssuyuniyco

Claude: Found 17 critical leaks. Want me to apply all SQL fixes?
        Run preview_fix on each first?

You: preview them all, then apply if safe.

Claude: [previews each]
        All 17 fixes preview cleanly. Applying...
        Done. Re-audited: 0 critical findings remaining.

Other Supabase scanners (SupaExplorer, AuditYourApp, Vibe App Scanner) report. None of them remediate. This one does.

Tools

| Tool | What it does | |---|---| | audit_project | Scan a project. Returns JSON findings. Caches for follow-up tools. | | list_findings | List cached findings, optionally filter by severity. | | preview_fix | Wrap the fix SQL in BEGIN; ... ROLLBACK; and verify it would run. Safe. | | apply_fix | Actually apply one finding's fix. Requires confirm: true. Re-audits to verify. | | apply_all_fixes | Bulk-apply at or above a severity. Single transaction — all or nothing. |

Install

Claude Desktop / Claude Code

Add to your MCP config (~/.claude.json or claude_desktop_config.json):

{
  "mcpServers": {
    "supabase-security": {
      "command": "npx",
      "args": ["-y", "@perufitlife/supabase-security-mcp@latest"],
      "env": {
        "SUPABASE_ACCESS_TOKEN": "sbp_your_personal_access_token"
      }
    }
  }
}

Get a token at https://supabase.com/dashboard/account/tokens (read+write to your projects).

Cursor

Settings → MCP → Add new MCP server → paste the same JSON object as above.

Cline / Continue / etc.

Anything that supports MCP stdio servers will work — point it at npx -y @perufitlife/supabase-security-mcp@latest with the env var set.

Safety model

  • Never auto-applies. Every apply_fix and apply_all_fixes call requires confirm: true.
  • Preview before apply. preview_fix runs the SQL inside BEGIN; ... ROLLBACK; so you see if it would error before touching state.
  • All-or-nothing bulk apply. apply_all_fixes runs everything in a single transaction. If any statement fails, the entire change rolls back.
  • Re-audit after apply. Every apply_fix re-runs the audit and reports whether the finding is actually gone — protects against fix-that-doesn't-fix.
  • Read-only by default for audit_project. Token can be a read-only PAT if you only want to scan, never remediate. (For apply_fix, you need write access.)

What it scans

Inherits all checks from supabase-security-skill:

  • Tables with RLS disabled and direct anon grants
  • SECURITY DEFINER functions executable by anon
  • Public storage buckets
  • Default privileges still granting CRUD to anon
  • Auth signups with autoconfirm enabled
  • Defense-in-depth: RLS-locked tables with stale anon grants

Why MCP and not just a CLI

CLIs are great. They're not in your AI agent's context. When you're vibing with Claude in your IDE, asking "is my supabase tight?" should get an actual scan, not a "you should run this command on your laptop."

The flow this enables:

  1. "Add a subscriptions table to my schema." → agent does it
  2. "Now scan for security issues." → agent calls audit_project
  3. Agent notices the new table has no RLS.
  4. "Want to fix?"preview_fix, then apply_fix after you say yes.

That round-trip is the actual product. The audit is just step 2.

Roadmap

  • [ ] Cron job audit (pg_cron)
  • [ ] Edge function secrets scan
  • [ ] Storage object-level RLS scan
  • [ ] HTML report generation as a tool (returns base64 + filename)
  • [ ] CORS configuration check

License

MIT.