Firebase Security Rules Auditor

Name: Firebase Security Rules Auditor
Author: firebase

firebase/agent-skills

Red-team Firestore security rules after edits so solo builders catch update bypasses and authority bugs before production.

Overview

Firebase Security Rules Auditor is an agent skill most often used in Ship (also Operate iterate) that red-teams Firestore rules for bypasses, authority flaws, and logic gaps.

Install

npx skills add https://github.com/firebase/agent-skills --skill firebase-security-rules-auditor

What is this skill?

Red-team auditor mindset: actively seek bypass sequences, not complexity theater
Mandatory checklist includes create vs update bypass and authority source on user-writable fields
Evaluates business logic fit so rules do not force insecure client workarounds
Storage abuse checks for string length, array size, and related limits
Invoke whenever Firestore security rules are updated
Mandatory audit checklist with four core themes including Update Bypass and Authority Source

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 40.3k installs on skills.sh; 345 GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You updated Firestore rules but cannot tell if a user can escalate privileges, mutate documents post-create, or break the app’s real read/write needs.

Who is it for?

Indie developers on Firestore who change rules frequently and want structured red-team review from their coding agent.

Skip if: Skip when you have no Firestore rules to review, need Storage-only or Realtime Database rules without Firestore scope, or want automated CI rule testing setup instead of qualitative audit.

When should I use this skill?

Firestore security rules are updated and you need assurance they are extremely secure and robust.

What do I get? / Deliverables

You receive a rigorous security audit against a mandatory checklist with explicit bypass-hunting findings before relying on rules in production.

Red-team style audit report against mandatory checklist
Identified bypass sequences, authority risks, and business-logic mismatches

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Gws Modelarmorgoogleworkspace/cli

gws-modelarmor is an agent skill for solo builders who ship products that call Google generative APIs and need a repeata…15.2k installs·26.9k stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Ship security is the canonical moment rules must be proven before users touch real data; audits also matter when rules change in Operate. Security subphase covers pre-launch rule hardening and ongoing rule change review—the skill’s explicit trigger is updated Firestore rules.

Also useful

OperateIteration & experiments

Where it fits

Example use

ShipSecurity

Pre-launch review of role-based rules after adding a collaborators collection.

Example use

ShipSecurity

Compare create and update paths when introducing subscription tier fields writable only at signup.

Example use

OperateIteration & experiments

Re-audit rules patched after a reported permission bug in production.

How it compares

Qualitative red-team rules review skill—not the Firebase Emulator test suite or generic OWASP web scan.

Common Questions / FAQ

Who is firebase-security-rules-auditor for?

Solo builders and small teams storing app data in Firestore who edit security rules and use Claude Code, Cursor, or Codex for a second pair of eyes.

When should I use firebase-security-rules-auditor?

In Ship security before launch after rules change; in Operate iterate when hotfixing rules after an incident; anytime Firestore security rules are updated per the skill description.

Is firebase-security-rules-auditor safe to install?

It analyzes rule text you provide—review the Security Audits panel on this page and avoid pasting production user data into audit prompts.

SKILL.md

READMESKILL.md - Firebase Security Rules Auditor

# Overview
This skill acts as an auditor for Firebase Security Rules, evaluating them against a rigorous set of criteria to ensure they are secure, robust, and correctly implemented.

# Scoring Criteria
## Assessment: Security Validator (Red Team Edition)
You are a Senior Security Auditor and Penetration Tester specializing in Firestore. Your goal is to find "the hole in the wall." Do not assume a rule is secure because it looks complex; instead, actively try to find a sequence of operations to bypass it.

### Mandatory Audit Checklist:
1. **The Update Bypass:** Compare 'create' and 'update' rules. Can a user create a valid document and then 'update' it into an invalid or malicious state (e.g., changing their role, bypassing size limits, or corrupting data types)?
2. **Authority Source:** Does the security rely on user-provided data (request.resource.data) for sensitive fields like 'role', 'isAdmin', or 'ownerId'? Carefully consider the source for that authority.
3. **Business Logic vs. Rules:** Does the rule set actually support the app's purpose? (e.g., In a collaboration app, can collaborators actually read the data? If not, the rules are "broken" or will force insecure workarounds).
4. **Storage Abuse:** Are there string length or array size limits? If not, label it as a "Resource Exhaustion/DoS" risk.
5. **Type Safety:** Are fields checked with 'is string', 'is int', or 'is timestamp'?
6. **Field-Level vs. Identity-Level Security:** Be careful with rules that use \`hasOnly()\` or \`diff()\`. While these restrict *which* fields can be updated, they do NOT restrict *who* can update them unless an ownership check (e.g., \`resource.data.uid == request.auth.uid\`) is also present. If a rule allows any authenticated user to update fields on another user's document without a corresponding ownership check, it is a data integrity vulnerability.

### Admin Bootstrapping & Privileges:
The admin bootstrapping process is limited in this app. If the rules use a single hardcoded admin email (e.g., checking request.auth.token.email == 'admin@example.com'), this should NOT count against the score as long as:
- email_verified is also checked (request.auth.token.email_verified == true).
- It is implemented in a way that does not allow additional admins to add themselves or leave an escalation risk open.

### Scoring Criteria (1-5):
- **1 (Critical):** Unauthorized data access (leaks), privilege escalation, or total validation bypass.
- **2 (Major):** Broken business logic, self-assigned roles, bypass of controls.
- **3 (Moderate):** PII exposure (e.g., public emails), Inconsistent validation (create vs update) on critical fields
- **4 (Minor):** Problems that result in self-data corruption like update bypasses that only impact the user's own data, lack of size limits, missing minor type checks or over-permissive read access on non-sensitive fields.
- **5 (Secure):** Comprehensive validation, strict ownership, and role-based access via secure ACLs.

Return your assessment in JSON format using the following structure:
{
  "score": 1-5,
  "summary": "overall assessment",
  "findings": [
    {
      "check": "checklist item",
      "severity": "critical|major|moderate|minor",
      "issue": "description",
      "recommendation": "fix"
    }
  ]
}

What is this skill?

Red-team auditor mindset: actively seek bypass sequences, not complexity theater

Mandatory checklist includes create vs update bypass and authority source on user-writable fields

Evaluates business logic fit so rules do not force insecure client workarounds

Storage abuse checks for string length, array size, and related limits

Invoke whenever Firestore security rules are updated

Mandatory audit checklist with four core themes including Update Bypass and Authority Source

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 40.3k installs on skills.sh; 345 GitHub stars; 3/3 security scanners passed (skills.sh audits).

Who is it for?

Indie developers on Firestore who change rules frequently and want structured red-team review from their coding agent.

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

OperateIteration & experiments

Where it fits

Example use

ShipSecurity

Pre-launch review of role-based rules after adding a collaborators collection.

Example use

ShipSecurity

Compare create and update paths when introducing subscription tier fields writable only at signup.

Example use

OperateIteration & experiments

Re-audit rules patched after a reported permission bug in production.

SKILL.md

READMESKILL.md - Firebase Security Rules Auditor

# Overview
This skill acts as an auditor for Firebase Security Rules, evaluating them against a rigorous set of criteria to ensure they are secure, robust, and correctly implemented.

# Scoring Criteria
## Assessment: Security Validator (Red Team Edition)
You are a Senior Security Auditor and Penetration Tester specializing in Firestore. Your goal is to find "the hole in the wall." Do not assume a rule is secure because it looks complex; instead, actively try to find a sequence of operations to bypass it.

### Mandatory Audit Checklist:
1. **The Update Bypass:** Compare 'create' and 'update' rules. Can a user create a valid document and then 'update' it into an invalid or malicious state (e.g., changing their role, bypassing size limits, or corrupting data types)?
2. **Authority Source:** Does the security rely on user-provided data (request.resource.data) for sensitive fields like 'role', 'isAdmin', or 'ownerId'? Carefully consider the source for that authority.
3. **Business Logic vs. Rules:** Does the rule set actually support the app's purpose? (e.g., In a collaboration app, can collaborators actually read the data? If not, the rules are "broken" or will force insecure workarounds).
4. **Storage Abuse:** Are there string length or array size limits? If not, label it as a "Resource Exhaustion/DoS" risk.
5. **Type Safety:** Are fields checked with 'is string', 'is int', or 'is timestamp'?
6. **Field-Level vs. Identity-Level Security:** Be careful with rules that use \`hasOnly()\` or \`diff()\`. While these restrict *which* fields can be updated, they do NOT restrict *who* can update them unless an ownership check (e.g., \`resource.data.uid == request.auth.uid\`) is also present. If a rule allows any authenticated user to update fields on another user's document without a corresponding ownership check, it is a data integrity vulnerability.

### Admin Bootstrapping & Privileges:
The admin bootstrapping process is limited in this app. If the rules use a single hardcoded admin email (e.g., checking request.auth.token.email == 'admin@example.com'), this should NOT count against the score as long as:
- email_verified is also checked (request.auth.token.email_verified == true).
- It is implemented in a way that does not allow additional admins to add themselves or leave an escalation risk open.

### Scoring Criteria (1-5):
- **1 (Critical):** Unauthorized data access (leaks), privilege escalation, or total validation bypass.
- **2 (Major):** Broken business logic, self-assigned roles, bypass of controls.
- **3 (Moderate):** PII exposure (e.g., public emails), Inconsistent validation (create vs update) on critical fields
- **4 (Minor):** Problems that result in self-data corruption like update bypasses that only impact the user's own data, lack of size limits, missing minor type checks or over-permissive read access on non-sensitive fields.
- **5 (Secure):** Comprehensive validation, strict ownership, and role-based access via secure ACLs.

Return your assessment in JSON format using the following structure:
{
  "score": 1-5,
  "summary": "overall assessment",
  "findings": [
    {
      "check": "checklist item",
      "severity": "critical|major|moderate|minor",
      "issue": "description",
      "recommendation": "fix"
    }
  ]
}

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is firebase-security-rules-auditor for?

When should I use firebase-security-rules-auditor?

Is firebase-security-rules-auditor safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is firebase-security-rules-auditor for?

When should I use firebase-security-rules-auditor?

Is firebase-security-rules-auditor safe to install?

SKILL.md