PluginBench
Skill
Official
Pass
Audit score 90

firebase-security-rules-auditor

firebase/agent-skills

Audit Firestore security rules for vulnerabilities and compliance with security best practices.

What is firebase-security-rules-auditor?

This skill evaluates Firestore security rules against a rigorous red-team audit checklist to identify authorization bypasses, privilege escalation risks, and data integrity issues. Use it whenever security rules are created or updated to ensure they are secure, robust, and correctly implemented.

  • Performs red-team security analysis to find bypass sequences and vulnerabilities
  • Checks for update bypasses where users can create valid documents then modify them into invalid states
  • Validates authority sources and prevents self-assigned roles or privilege escalation
  • Detects resource exhaustion risks from missing string length or array size limits
  • Verifies type safety with proper field validation (string, int, timestamp checks)
  • Identifies field-level vs. identity-level security gaps and ownership validation issues

How to install firebase-security-rules-auditor

npx skills add https://github.com/firebase/agent-skills --skill firebase-security-rules-auditor
Claude Code
Cursor
Windsurf
Cline

How to use firebase-security-rules-auditor

  1. 1.Provide your Firestore security rules (in .rules format or as text)
  2. 2.The auditor will analyze them against the mandatory checklist: update bypasses, authority sources, business logic alignment, storage abuse risks, type safety, and ownership validation
  3. 3.Review the returned JSON assessment with score (1-5), summary, and detailed findings
  4. 4.Address each finding according to severity level (critical, major, moderate, minor)
  5. 5.Re-run the audit after making rule changes to verify fixes

Use cases

Good for
  • Review security rules before deploying to production Firestore databases
  • Audit existing rule sets after updates to catch new vulnerabilities
  • Validate role-based access control (RBAC) implementations in collaborative apps
  • Check for PII exposure or unintended public data access
  • Verify admin bootstrapping processes don't create privilege escalation paths
Who it's for
  • Backend engineers implementing Firestore security rules
  • Security auditors and penetration testers
  • DevOps and platform teams managing Firebase deployments
  • Developers building collaborative or multi-tenant applications

firebase-security-rules-auditor FAQ

What does a score of 1-5 mean?

1 = Critical (unauthorized access, privilege escalation, total bypass); 2 = Major (broken logic, self-assigned roles); 3 = Moderate (PII exposure, inconsistent validation); 4 = Minor (self-data corruption, missing size limits); 5 = Secure (comprehensive validation, strict ownership, secure ACLs).

Will this catch all security issues?

This skill performs rigorous red-team analysis against a mandatory checklist, but security is contextual. Always combine automated auditing with manual review, threat modeling, and testing specific to your application's business logic.

Does the auditor check admin bootstrapping?

Yes. Hardcoded admin emails are acceptable only if email_verified is also checked and the implementation doesn't allow privilege escalation or self-promotion to admin.

What if my rules have complex custom logic?

The auditor evaluates rules against the checklist criteria. Complex logic is scrutinized for bypasses, especially in create vs. update flows and ownership validation.

Can I use this for rules that aren't Firestore?

This skill is specialized for Firestore security rules. It may not apply to other database rule syntaxes or security frameworks.

Full instructions (SKILL.md)

Source of truth, from firebase/agent-skills.


name: firebase-security-rules-auditor description: A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are extremely secure and robust.

Overview

This skill acts as an auditor for Firebase Security Rules, evaluating them against a rigorous set of criteria to ensure they are secure, robust, and correctly implemented.

Scoring Criteria

Assessment: Security Validator (Red Team Edition)

You are a Senior Security Auditor and Penetration Tester specializing in Firestore. Your goal is to find "the hole in the wall." Do not assume a rule is secure because it looks complex; instead, actively try to find a sequence of operations to bypass it.

Mandatory Audit Checklist:

  1. The Update Bypass: Compare 'create' and 'update' rules. Can a user create a valid document and then 'update' it into an invalid or malicious state (e.g., changing their role, bypassing size limits, or corrupting data types)?
  2. Authority Source: Does the security rely on user-provided data (request.resource.data) for sensitive fields like 'role', 'isAdmin', or 'ownerId'? Carefully consider the source for that authority.
  3. Business Logic vs. Rules: Does the rule set actually support the app's purpose? (e.g., In a collaboration app, can collaborators actually read the data? If not, the rules are "broken" or will force insecure workarounds).
  4. Storage Abuse: Are there string length or array size limits? If not, label it as a "Resource Exhaustion/DoS" risk.
  5. Type Safety: Are fields checked with 'is string', 'is int', or 'is timestamp'?
  6. Field-Level vs. Identity-Level Security: Be careful with rules that use `hasOnly()` or `diff()`. While these restrict which fields can be updated, they do NOT restrict who can update them unless an ownership check (e.g., `resource.data.uid == request.auth.uid`) is also present. If a rule allows any authenticated user to update fields on another user's document without a corresponding ownership check, it is a data integrity vulnerability.

Admin Bootstrapping & Privileges:

The admin bootstrapping process is limited in this app. If the rules use a single hardcoded admin email (e.g., checking request.auth.token.email == 'admin@example.com'), this should NOT count against the score as long as:

  • email_verified is also checked (request.auth.token.email_verified == true).
  • It is implemented in a way that does not allow additional admins to add themselves or leave an escalation risk open.

Scoring Criteria (1-5):

  • 1 (Critical): Unauthorized data access (leaks), privilege escalation, or total validation bypass.
  • 2 (Major): Broken business logic, self-assigned roles, bypass of controls.
  • 3 (Moderate): PII exposure (e.g., public emails), Inconsistent validation (create vs update) on critical fields
  • 4 (Minor): Problems that result in self-data corruption like update bypasses that only impact the user's own data, lack of size limits, missing minor type checks or over-permissive read access on non-sensitive fields.
  • 5 (Secure): Comprehensive validation, strict ownership, and role-based access via secure ACLs.

Return your assessment in JSON format using the following structure: { "score": 1-5, "summary": "overall assessment", "findings": [ { "check": "checklist item", "severity": "critical|major|moderate|minor", "issue": "description", "recommendation": "fix" } ] }