PocketBase Security Auditor
May 12, 2026 · View on GitHub
Audit any PocketBase instance for over-permissive API rules. Get a shareable HTML report with a fix snippet on every finding. The active probe fetches data anonymously to PROVE leaks live — not just infer them.
▶ Run it without installing anything → apify.com/renzomacar/pocketbase-security-auditor (paste PocketBase URL + admin email/password, get HTML report)
⚡ Want me to run it for you and send back a written report? $99, 24h delivery → https://perufitlife.github.io/supabase-security-skill/ (one landing covers all five — Supabase, PocketBase, Appwrite, Hasura, Firebase)
🔁 Want this running on a cron? RLS Monitor does weekly diff-based scans + email alerts when new findings appear — $29/mo, your keys never leave your CI.
📦 Need all 5 BaaS stacks at once? The BaaS Security Pack bundles every scanner + sample reports + fix-SQL libraries — one $99 download.
🪞 Sister tool: aitells detects + rewrites AI fingerprints in your text (em-dashes, "delve", parallel bullets). Free detector + $19 lifetime rewriter at /rewrite.
Sister tools for other BaaS platforms (same
--discoverflag, all MIT): supabase-security · appwrite-security · firebase-security · nhost-security
Why this exists
PocketBase API rules are easy to write and easy to leave too open. Three patterns I see over and over:
- Empty rule — leaving
listRuleblank means the collection is fully public. Anyone can list every record without auth. @request.auth.id != ""— looks restrictive but lets ANY logged-in user (including a self-signed-up anonymous one) read or write the entire collection.trueliteral — leftover from local dev, evaluates to "always allow."
This auditor surfaces all three across every collection in one command.
Install + run
npx pocketbase-security \
--url https://my.pocketbase.io \
--email admin@me.io \
--password $PB_ADMIN_PASS \
--html report.html
Or via env vars:
POCKETBASE_URL=https://my.pb.io \
POCKETBASE_ADMIN_EMAIL=admin@me.io \
POCKETBASE_ADMIN_PASSWORD=$PB_ADMIN_PASS \
npx pocketbase-security --html report.html
What it checks
| # | Check | Severity |
|---|---|---|
| 1 | API rule is empty (collection is fully public for that op) | CRITICAL |
| 2 | API rule is @request.auth.id != "" (any logged-in user passes) | HIGH |
| 3 | API rule contains true literal (bypasses all checks) | HIGH |
| 4 | Auth collection has open signup + lax create rule (combo) | HIGH |
| 5 | OAuth2 provider enabled without redirect URL whitelist | MEDIUM |
| 6 | Email auth without verification requirement | MEDIUM |
| 7 | S3 storage with debug-level logging risk | LOW |
Every finding ships with a fix snippet you paste back into the PocketBase admin UI.
Active probe
Default: ON. After identifying a suspect collection (empty rule, permissive auth, dangerous literal), the auditor sends an anonymous GET to /api/collections/{name}/records?perPage=1. If the request returns data, the finding is marked confirmed: true with a sample showing the row count, columns visible, and bytes leaked.
Pass --no-probe to skip the live fetch (passive mode only, infers from rule metadata).
Output
- HTML report — self-contained (~25KB Tailwind + Chart.js via CDN). Top banner shows X of N suspected leaks confirmed live. Every finding card has a red "CONFIRMED LEAK" block when the probe succeeded.
- JSON — full structured findings (default stdout output if no
--htmlflag).
How to get an admin password
You created one when you initialized PocketBase. If you forgot, reset it via the PB CLI on the host machine: ./pocketbase admin update <email> <new-password>.
The password is used only for this run's admin auth call (collections endpoint requires admin token). The auditor never persists it.
Want it done for you?
Two productized services:
- Vibe-code Security Review — $199 / 48h — I review your AI-generated code (Cursor / Claude / v0 / Bolt) and ship a PDF with fixes ranked by exploitability.
- Sandbox-as-a-Service — $499 / 48h — custom partner integration sandbox built for your API.
Integration pattern reference
See rotatepilot-skyx-sandbox for a live demo of how a partner consumes one of our public REST APIs in a single static page — built 12-may-2026 in response to an aviation-platform partnership inbound. Same JSON-contract / CORS / edge-served approach we use for pocketbase-security integrations.
Sister AI text tools
If your team writes outreach, PR descriptions, or social posts with AI, the aitells ecosystem catches the fingerprints before they ship:
@perufitlife/aitells-mcp— MCP server for Claude Code / Cursor.detect_ai_tells+humanize_textas native tools.Perufitlife/aitells-action— GitHub Action that scans PR titles/bodies/commits for AI patterns. Posts friendly summary comment.- aitells.vercel.app — free detector + $19 lifetime humanizer (first 100 buyers)
License
MIT. Free, open source. Built by @Perufitlife.
For Supabase, see the sibling tool: https://github.com/Perufitlife/supabase-security-skill