Appwrite Security Audit - Find Public Collections Free
Pricing
Pay per usage
Appwrite Security Audit - Find Public Collections Free
Audit any Appwrite project (cloud or self-hosted) for collections with over-permissive document-level permissions, public reads, and anonymous writes. Active anon fetch confirms live leaks. HTML report with paste-ready fix snippets. Free.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
Renzo Madueno
Actor stats
0
Bookmarked
1
Total users
0
Monthly active users
2 minutes ago
Last modified
Categories
Share
Appwrite Security Auditor
If any of your Appwrite collections has the any role on read or list, anyone in the world can dump every document without auth right now. This actor finds those leaks in 30 seconds and tells you exactly which permissions to revoke.
Scan any Appwrite project for over-permissive collection/document permissions. Get a shareable HTML report. Active probe fetches data anonymously to PROVE leaks live, not just infer them.
Why this exists
Appwrite has a powerful permission model that's easy to leave too open. Three patterns I see over and over in production:
anyrole on read or list — the collection is fully public. Anyone can dump every document without auth.usersrole too broadly — any signed-up user (including a self-registered anonymous one) reads or writes the entire collection.- Document Security disabled — collection-level perms apply to ALL documents. A single broad rule exposes everything.
This actor surfaces all of them across every database/collection in your project in one click.
What it checks
| # | Check | Severity |
|---|---|---|
| 1 | Permission grants any role | CRITICAL |
| 2 | Permission grants users role too broadly | HIGH |
| 3 | Document Security OFF on permission-protected collection | HIGH |
| 4 | Team-based permission lacks role specificity | MEDIUM |
| 5 | OAuth2 misconfig | MEDIUM |
| 6 | Email auth without verification | MEDIUM |
Output
- HTML report (key
REPORT) — self-contained Tailwind + Chart.js. Top banner shows X of N suspected leaks confirmed live. Every finding has a fix snippet. - Dataset — every finding as a row.
- SUMMARY — counts + active-probe stats for monitoring pipelines.
How to get an API key
- Open your Appwrite console → Project Settings → API Keys → "Create API Key"
- Required scopes:
databases.read,collections.read,projects.read - Copy the key immediately (Appwrite shows it only once)
The key is used only for this run. Never persisted.
Apply fixes
This actor never modifies your Appwrite project. Each finding ships with a fix snippet you paste back into the Appwrite admin console.
For an agent loop (audit + preview inside Claude Code / Cursor / Cline) see the sibling MCP server: https://github.com/Perufitlife/appwrite-security-mcp
Want a written report + Q&A support?
Free actor → you find leaks. $29 lite tier (top 3 critical fixes + written summary) or $99 full audit (every collection's permissions + 30-day Q&A + paste-ready bundle, 24h delivery). The CTA links inside the HTML report take you to Stripe.
License + source
MIT. Open source: https://github.com/Perufitlife/appwrite-security-skill
