Supabase Agent Skills
Official Supabase Agent Skills for AI coding agents working with Supabase Database, Auth, Edge Functions, Realtime, Storage, Vectors, CLI, MCP, RLS, migrations, and Postgres performance.
Open the source and read safety notes before installing.
Safety notes
- The skills guide agents toward Supabase schema, auth, RLS, migration, MCP, and Postgres work that can affect real user data; generated SQL and policies need human review.
- The Supabase skill explicitly treats RLS, exposed schemas, service-role keys, JWT claims, views, storage policies, and SECURITY DEFINER functions as security-sensitive areas.
- Do not let an agent apply migrations or production SQL just because the skill suggests a workflow; run advisors, inspect generated SQL, and verify against the intended environment.
- The repository includes Supabase MCP configuration for docs-only MCP access. Project-scoped MCP or database access still needs proper authentication, least privilege, and review.
Privacy notes
- Supabase tasks can involve schemas, SQL, RLS policies, migrations, auth settings, JWT claims, storage paths, Edge Function code, logs, and customer data.
- Keep SUPABASE_ACCESS_TOKEN, service_role keys, database passwords, JWT secrets, project refs, connection strings, OAuth secrets, and private schema dumps out of prompts, screenshots, public PRs, and committed configs.
- When using Supabase MCP or CLI tools, the connected agent may see project metadata, database structure, logs, or SQL results depending on granted permissions.
- Docs-only MCP access is safer than project MCP access, but user queries and docs snippets can still be forwarded into the configured model provider.
Prerequisites
- AI coding agent or skill installer compatible with Agent Skills repositories.
- Supabase project, local Supabase app, or planned Supabase integration.
- Current Supabase docs access, Supabase CLI help, or Supabase MCP server access for exact commands and API details.
- Database access appropriate to the task when validating SQL, RLS, migrations, advisors, or performance fixes.
Schema details
- Install type
- package
- Reading time
- 7 min
- Difficulty score
- 74
- Troubleshooting
- Yes
- Breaking changes
- No
- Scope
- Source repo
- Skill type
- capability-pack
- Skill level
- expert
- Verification
- validated
- Verified at
- 2026-06-18
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
Full copyable content
npx skills add supabase/agent-skills
# Install a focused skill
npx skills add supabase/agent-skills --skill supabase
npx skills add supabase/agent-skills --skill supabase-postgres-best-practicesAbout this resource
Supabase Agent Skills
supabase/agent-skills is Supabase's official skill repository for AI coding
agents. It packages task-specific instructions and references so agents can work
more reliably with Supabase products, Supabase CLI, Supabase MCP, Row Level
Security, migrations, and Postgres performance.
The repository currently publishes two skills:
supabase: broad Supabase development guidance covering Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, Queues, client libraries, SSR integrations, CLI, MCP, migrations, RLS, security audits, and extensions.supabase-postgres-best-practices: Postgres performance and design guidance from Supabase, organized across query performance, connection management, security and RLS, schema design, locking, access patterns, monitoring, and advanced features.
Use this entry when an agent needs reusable Supabase operating guidance. Use a separate Supabase MCP listing when the question is specifically about connecting an agent to Supabase's hosted MCP tools.
Knowledge Freshness
Supabase products, CLI commands, MCP behavior, SSR helpers, Auth guidance,
Postgres features, and security recommendations change frequently. The broad
supabase skill explicitly instructs agents to verify current docs and
changelog context before implementing features instead of relying on model
memory.
For exact implementation details, pair the skills with current Supabase docs,
the Supabase MCP server, supabase --help, package-specific documentation, and
the actual version installed in the target project.
Retrieval Sources
This listing is grounded in:
- Supabase's official
supabase/agent-skillsrepository. - Supabase's Agent Skills docs page.
- Supabase's
.well-known/agent-skills/discovery index. - The
supabaseskill manifest. - The
supabase-postgres-best-practicesskill manifest. - Repository package metadata, which identifies the package as official Supabase agent skills under MIT licensing.
Core Workflow
Install all Supabase skills:
npx skills add supabase/agent-skills
Install a focused skill:
npx skills add supabase/agent-skills --skill supabase
npx skills add supabase/agent-skills --skill supabase-postgres-best-practices
Claude Code users can also install Supabase's skill marketplace and plugins:
claude plugin marketplace add supabase/agent-skills
claude plugin install supabase@supabase-agent-skills
claude plugin install postgres-best-practices@supabase-agent-skills
The .well-known/agent-skills/ endpoint publishes archive URLs and SHA-256
digests for released skill bundles. That makes it useful for agents and
installers that support Agent Skills discovery metadata.
Capability Scope
The broad supabase skill applies to product-wide Supabase development:
- Database, Auth, Edge Functions, Realtime, Storage, Vectors, Cron, and Queues.
supabase-js,@supabase/ssr, and integrations for frameworks such as Next.js, React, SvelteKit, Astro, and Remix.- Auth troubleshooting for sessions, JWTs, cookies,
getSession,getUser,getClaims, RLS, and login/logout flows. - Supabase CLI, Supabase MCP, schema changes, migrations, security audits, and
extensions such as
pg_graphql,pg_cron, andpg_vector.
The Postgres best-practices skill focuses on query optimization, indexes, connection pooling, schema design, concurrency, locking, security, RLS, monitoring, diagnostics, and advanced Postgres features.
Production Rules
Treat Supabase work as production-sensitive when it touches data, identity, authorization, or migrations.
- Review generated SQL, policies, triggers, views, and functions before they run against shared or production databases.
- Never expose
service_rolekeys, secret keys, database passwords, JWT secrets, OAuth secrets, or connection strings in public clients or prompts. - Enable and review RLS for tables in exposed schemas instead of relying on role grants alone.
- Avoid using user-editable metadata in authorization decisions.
- Be careful with
SECURITY DEFINER, views, storage upserts, migration history, and SQL execution through MCP or CLI tools. - Run Supabase advisors, tests, and real verification queries when a change affects schema, access control, or performance.
Use Cases
- Ask Claude Code to set up Supabase Auth with SSR while checking current docs.
- Have Codex review RLS policies for common Supabase-specific mistakes.
- Use Cursor to optimize a slow Postgres query with Supabase's index and connection-management guidance.
- Ask an agent to generate a migration plan, then inspect and validate the SQL before applying it.
- Pair the skills with Supabase MCP docs access so the agent can retrieve current product documentation while following the skill's security workflow.
Source Review
- The repository README describes Supabase Agent Skills as folders of instructions, scripts, and resources for agents, compatible with Claude Code, GitHub Copilot, Cursor, Cline, and other agents.
- Supabase's docs page documents
npx skills add supabase/agent-skills, focused--skillinstallation, project-scope installation, and the relationship to Supabase's combined plugin setup. - The
.well-known/agent-skills/endpoint exposessupabaseandsupabase-postgres-best-practicesarchives with SHA-256 digests. - The
supabaseskill manifest lists product-wide Supabase triggers and includes security-sensitive guidance for RLS, Data API exposure, JWT claims, service-role keys, views, storage, dependency pinning, CLI usage, and MCP setup. - The Postgres best-practices skill manifest describes eight prioritized categories covering performance, connection management, schema design, locking, security, access patterns, monitoring, and advanced features.
Duplicate Review
Checked current content/skills/, content/mcp/, content/tools/, open pull
requests, and repository-wide content for Supabase Agent Skills,
supabase/agent-skills, supabase-postgres-best-practices, Supabase skills,
and Supabase MCP skill. Existing Supabase content covers realtime database
skills and Supabase expert rules, but no dedicated official Supabase Agent
Skills entry, exact source URL duplicate, target file, or open duplicate PR was
found.
Disclosure
Editorial listing. No paid placement or affiliate link is used. Supabase Agent Skills are published by Supabase under MIT package metadata. Supabase also offers hosted commercial infrastructure and platform services.
Source citations
Add this badge to your README
Show that Supabase Agent Skills is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/supabase-agent-skills)How it compares
Supabase Agent Skills side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Supabase Agent Skills Official Supabase Agent Skills for AI coding agents working with Supabase Database, Auth, Edge Functions, Realtime, Storage, Vectors, CLI, MCP, RLS, migrations, and Postgres performance. Open dossier | Flutter Agent Skills Official Flutter team Agent Skills for AI coding agents building Flutter apps, fixing layout issues, adding widget and integration tests, creating widget previews, applying layered architecture, routing, localization, JSON serialization, and HTTP workflows. Open dossier | GSAP AI Skills Official GreenSock GSAP AI Skills for coding agents that need correct GSAP tweens, timelines, ScrollTrigger, React cleanup, plugins, utilities, framework lifecycle guidance, and animation performance patterns. Open dossier | LiveKit Agent Skills Official LiveKit Agent Skills for AI coding agents building low-latency voice AI, LiveKit Agents workflows, handoffs, mandatory tests, and simulation scenario suites. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | skills | skills | skills | skills |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | Supabase | Flutter Team | GreenSock | LiveKit |
| Added | 2026-06-18 | 2026-06-18 | 2026-06-18 | 2026-06-18 |
| Platforms | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI |
| Source repo | — | — | — | — |
| Safety notes | ✓The skills guide agents toward Supabase schema, auth, RLS, migration, MCP, and Postgres work that can affect real user data; generated SQL and policies need human review. The Supabase skill explicitly treats RLS, exposed schemas, service-role keys, JWT claims, views, storage policies, and SECURITY DEFINER functions as security-sensitive areas. Do not let an agent apply migrations or production SQL just because the skill suggests a workflow; run advisors, inspect generated SQL, and verify against the intended environment. The repository includes Supabase MCP configuration for docs-only MCP access. Project-scoped MCP or database access still needs proper authentication, least privilege, and review. | ✓Flutter skills can modify application code, tests, pubspec dependencies, routing, localization files, serialization code, architecture boundaries, and app entry points. Integration-test workflows may enable Flutter Driver extensions, add keys to widgets, launch apps through MCP tools, interact with running UI, and create driver scripts. Do not run device, emulator, browser, Firebase Test Lab, or network-backed integration tests against production services without explicit approval and test credentials. Architecture and routing changes can alter navigation, state management, API access, caching, offline behavior, and user-visible app flows. Use project-local conventions and Flutter version constraints before applying generated examples. | ✓GSAP is primarily a frontend animation library, but generated animations can still break layout, accessibility, input handling, scroll behavior, or client performance. ScrollTrigger, pinned sections, smooth scrolling, and layout-dependent timelines should be tested across viewport sizes and after dynamic content loads. React, Vue, Svelte, and other framework integrations need cleanup on unmount so animations, event listeners, and ScrollTriggers do not leak across renders. Remove development markers, debug helpers, and unnecessary long-running animations before production. | ✓The livekit-agents skill intentionally pushes agents toward implementation work for voice AI systems that can join realtime rooms, call tools, speak to users, and route calls; generated code still needs human review. The skill requires tests for agent behavior, but tests do not prove latency, safety, consent, telephony legality, privacy, or production readiness by themselves. The livekit-simulations skill includes private-beta caveats for simulation commands and requires current CLI help or docs verification before running `lk agent simulate`. Do not let a coding agent invent LiveKit API signatures from memory; the skill repeatedly requires MCP/docs verification because the SDK changes quickly. Voice agent handoffs, tasks, tool calls, and simulation scenarios can influence real user conversations if deployed; validate in staging rooms before production. |
| Privacy notes | ✓Supabase tasks can involve schemas, SQL, RLS policies, migrations, auth settings, JWT claims, storage paths, Edge Function code, logs, and customer data. Keep SUPABASE_ACCESS_TOKEN, service_role keys, database passwords, JWT secrets, project refs, connection strings, OAuth secrets, and private schema dumps out of prompts, screenshots, public PRs, and committed configs. When using Supabase MCP or CLI tools, the connected agent may see project metadata, database structure, logs, or SQL results depending on granted permissions. Docs-only MCP access is safer than project MCP access, but user queries and docs snippets can still be forwarded into the configured model provider. | ✓Flutter projects may contain API URLs, Firebase project IDs, mobile bundle IDs, analytics keys, user fixtures, screenshots, test traces, device logs, crash output, and integration-test artifacts. MCP app exploration can expose widget trees, screen text, test data, typed inputs, navigation paths, and screenshots from the running app. HTTP, JSON, localization, and repository-layer work may touch private API schemas, user data models, translations, product copy, and backend payloads. Keep credentials, private endpoints, screenshots with user data, device logs, Firebase tokens, and proprietary UI flows out of public prompts, issues, PRs, and examples. | ✓The skills are local instruction files and do not require app data by themselves. Do not paste proprietary designs, private Figma exports, customer analytics, unreleased campaign copy, or private frontend source into public prompts or issues when asking an agent to animate UI. If the agent uses browser automation, visual captures, or external model providers while applying these skills, screenshots and source snippets may be processed outside the local project. | ✓LiveKit voice agent work can involve audio, video, transcripts, room metadata, participant identities, phone call details, test personas, tool inputs, tool outputs, and logs. The skills are prompt/instruction assets, but the implementations they guide may send data to LiveKit, STT providers, LLM providers, TTS providers, MCP servers, telephony providers, and observability backends. Keep LIVEKIT_API_SECRET, provider keys, SIP credentials, room tokens, recordings, transcripts, and generated scenario files containing sensitive business logic out of prompts, public issues, screenshots, and committed configs. The simulations skill says scenario generation reads the user's local agent code and should not upload that code; preserve that local-only boundary when using it. |
| Prerequisites |
|
|
|
|
| Install | | | | |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.