Supabase Development Guide
Practical guidance for AI agents building, securing, and migrating Supabase applications.
The goal and audience are clear: support developers and agents working across Supabase development, CLI, MCP, auth, RLS, migrations, and security review. It provides concrete principles and security pitfalls, but the “ANY task” trigger is overly broad and non-fit boundaries, alternatives, and outcome evidence are limited, so full marks are not justified.
The skill specifies version discovery, documentation checks, reconsideration after repeated failure, and verification steps, making the main workflow plausible and reasonably consistent. However, there are no skill-specific functional tests; CI mainly tests installation and discovery. Static review cannot confirm command behavior, version gates, or technical assertions, so the score remains below the static ceiling.
The source explicitly addresses exposed secrets, RLS, BOLA, SECURITY DEFINER, views, storage permissions, and dependency pinning, showing substantial risk awareness. It does not consistently require confirmation before high-impact database changes, grants, or external MCP operations, and rollback and data-flow disclosures are incomplete, preventing a near-full score.
The skill contains auditable rules, SQL examples, and documentation references, while the repository supplies real CI and installation sanity tests. Those tests do not cover the skill’s key security and operational guidance, and there is no independent reproduction evidence; static support is therefore useful but limited.
Triggers, CLI/MCP alternatives, declarative versus imperative schema workflows, and several troubleshooting steps are fairly clear, with installation described in the shared README. The very broad scope leaves users to infer inputs, outputs, costs, permissions, exit criteria, and additional failure handling, creating significant hidden assumptions.
MIT licensing, author metadata, a skill version, changelog entries, version-check guidance, and release CI provide partial maintenance signals. Publisher provenance is explicitly unverified, and the SKILL.md version 0.1.2 conflicts with newer CHANGELOG and package versions, so governance and version traceability are incomplete.
- Do not treat every Supabase task as automatically in scope; confirm the product, versions, permissions, and project workflow first.
- Before executing SQL, granting anon/authenticated access, changing RLS, or configuring MCP, confirm scope, backups, and rollback plans.
- The skill requires online changelog, documentation, and MCP access but does not fully explain network, credential, data-egress, or fallback implications.
- The SKILL.md version metadata conflicts with the repository CHANGELOG and package version; confirm the actual released version before adoption.
What it does & when to use it
This is Supabase’s Agent Skill for developers who use AI agents with Supabase. It covers Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues, client libraries, SSR integrations, the CLI, MCP, and Postgres extensions. The skill instructs agents to check the changelog and current documentation before implementation, then verify their work. It also includes concrete security guidance for RLS, JWT claims, views, privileged functions, Storage, and exposed keys.
It directs agents to fetch the Supabase changelog and relevant documentation, inspect breaking-change entries, discover CLI commands with supabase --help, check the CLI version, and verify fixes with test queries. It provides procedures for checking MCP reachability, .mcp.json configuration, and OAuth authentication. Where applicable, it references MCP operations such as search_docs, execute_sql, and get_advisors. It also guides agents through declarative-schema and imperative-migration workflows, including generating, reviewing, and verifying migrations.
- Developers integrating Supabase clients or SSR with Next.js, React, SvelteKit, Astro, or Remix.
- Teams troubleshooting login, logout, sessions, JWTs, cookies, `getSession`, `getUser`, `getClaims`, or RLS.
- Engineers designing schemas, writing migrations, using declarative schemas, or operating the Supabase CLI or MCP server.
- Developers auditing implementations involving Auth, RLS, views, Storage, user data, or privileged Postgres functions.
- Teams working on Postgres queries, indexes, connection pooling, or RLS that also want to use the repository’s separate Postgres best-practices skill.
Pros & cons
- Broad coverage of Supabase products, client integrations, CLI, MCP, schema changes, and security audits.
- Includes specific checks for RLS, JWT claims, views, SECURITY DEFINER functions, Storage, and key exposure.
- Distinguishes declarative-schema and imperative-migration workflows.
- MIT licensed and described as compatible with more than 18 AI agents.
- Relies on current Supabase documentation, network access, and potentially a configured CLI or MCP environment.
- Some CLI and MCP workflows have explicit version or authentication prerequisites; older CLI versions require fallbacks.
- The supplied metadata does not identify a fixed skill path, and the source does not provide a test suite or test results.
How to install
Install the specific skill with the command provided in the README: npx skills add supabase/agent-skills --skill supabase. To install all skills, run npx skills add supabase/agent-skills. Claude Code users can also add the repository as a marketplace and run claude plugin install supabase@supabase-agent-skills. The supplied repository metadata does not document a fixed skill path.
How to use
After installation, give the agent a concrete request such as Help me set up Supabase Auth with Next.js, Review my Supabase RLS policies, or Create a migration for this schema change. The agent should consult the current changelog and documentation first, then run a test query or other relevant verification after making changes.