# Appwrite Security Audit - Find Public Collections Free (`renzomacar/appwrite-security-auditor`) Actor Audit any Appwrite project (cloud or self-hosted) for collections with over-permissive document-level permissions, public reads, and anonymous writes. Active anon fetch confirms live leaks. HTML report with paste-ready fix snippets. Free. - **URL**: https://apify.com/renzomacar/appwrite-security-auditor.md - **Developed by:** [Renzo Madueno](https://apify.com/renzomacar) (community) - **Categories:** Developer tools - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Appwrite Security Auditor **If any of your Appwrite collections has the `any` role on read or list, anyone in the world can dump every document without auth right now.** This actor finds those leaks in 30 seconds and tells you exactly which permissions to revoke. > Scan any Appwrite project for over-permissive collection/document permissions. Get a shareable HTML report. **Active probe fetches data anonymously to PROVE leaks live, not just infer them.** ### Why this exists Appwrite has a powerful permission model that's easy to leave too open. Three patterns I see over and over in production: - **`any` role on read or list** — the collection is fully public. Anyone can dump every document without auth. - **`users` role too broadly** — any signed-up user (including a self-registered anonymous one) reads or writes the entire collection. - **Document Security disabled** — collection-level perms apply to ALL documents. A single broad rule exposes everything. This actor surfaces all of them across every database/collection in your project in one click. ### What it checks | ## | Check | Severity | |---|---|---| | 1 | Permission grants `any` role | **CRITICAL** | | 2 | Permission grants `users` role too broadly | HIGH | | 3 | Document Security OFF on permission-protected collection | HIGH | | 4 | Team-based permission lacks role specificity | MEDIUM | | 5 | OAuth2 misconfig | MEDIUM | | 6 | Email auth without verification | MEDIUM | ### Output - **HTML report** (key `REPORT`) — self-contained Tailwind + Chart.js. Top banner shows X of N suspected leaks confirmed live. Every finding has a fix snippet. - **Dataset** — every finding as a row. - **SUMMARY** — counts + active-probe stats for monitoring pipelines. ### How to get an API key 1. Open your Appwrite console → Project Settings → API Keys → "Create API Key" 2. Required scopes: `databases.read`, `collections.read`, `projects.read` 3. Copy the key immediately (Appwrite shows it only once) The key is used only for this run. Never persisted. ### Apply fixes This actor never modifies your Appwrite project. Each finding ships with a fix snippet you paste back into the Appwrite admin console. For an agent loop (audit + preview inside Claude Code / Cursor / Cline) see the sibling MCP server: https://github.com/Perufitlife/appwrite-security-mcp ### Want a written report + Q&A support? Free actor → you find leaks. **$29 lite tier** (top 3 critical fixes + written summary) or **$99 full audit** (every collection's permissions + 30-day Q&A + paste-ready bundle, 24h delivery). The CTA links inside the HTML report take you to Stripe. ### License + source MIT. Open source: https://github.com/Perufitlife/appwrite-security-skill ### Sister auditors (same family) - **Supabase** — https://apify.com/renzomacar/supabase-security-auditor - **PocketBase** — https://apify.com/renzomacar/pocketbase-security-auditor - **Firebase** — https://apify.com/renzomacar/firebase-security-auditor - **Hasura/Nhost** — https://apify.com/renzomacar/nhost-security-auditor # Actor input Schema ## `appwriteEndpoint` (type: `string`): Base URL of the Appwrite API, e.g. https://cloud.appwrite.io/v1 or https://your-self-hosted.io/v1 ## `appwriteProjectId` (type: `string`): The Appwrite project ID (visible in console URL). ## `appwriteApiKey` (type: `string`): Server API key with scopes: databases.read, collections.read, projects.read. Used only for this run, never persisted. ## `activeProbe` (type: `boolean`): When ON (default), the auditor sends an anonymous GET against suspect collections to PROVE the leak live (not just infer from permission metadata). ## `outputFormat` (type: `string`): html-report saves a self-contained HTML to KV store key REPORT. json pushes only structured rows to the dataset. both does both. ## Actor input object example ```json { "appwriteEndpoint": "https://cloud.appwrite.io/v1", "activeProbe": true, "outputFormat": "html-report" } ```` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "appwriteEndpoint": "https://cloud.appwrite.io/v1" }; // Run the Actor and wait for it to finish const run = await client.actor("renzomacar/appwrite-security-auditor").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "appwriteEndpoint": "https://cloud.appwrite.io/v1" } # Run the Actor and wait for it to finish run = client.actor("renzomacar/appwrite-security-auditor").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "appwriteEndpoint": "https://cloud.appwrite.io/v1" }' | apify call renzomacar/appwrite-security-auditor --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=renzomacar/appwrite-security-auditor", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Appwrite Security Audit - Find Public Collections Free", "description": "Audit any Appwrite project (cloud or self-hosted) for collections with over-permissive document-level permissions, public reads, and anonymous writes. Active anon fetch confirms live leaks. HTML report with paste-ready fix snippets. Free.", "version": "0.1", "x-build-id": "mPdjkcehGtK8uyXL8" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/renzomacar~appwrite-security-auditor/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-renzomacar-appwrite-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/renzomacar~appwrite-security-auditor/runs": { "post": { "operationId": "runs-sync-renzomacar-appwrite-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/renzomacar~appwrite-security-auditor/run-sync": { "post": { "operationId": "run-sync-renzomacar-appwrite-security-auditor", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "appwriteEndpoint", "appwriteProjectId", "appwriteApiKey" ], "properties": { "appwriteEndpoint": { "title": "Appwrite endpoint", "type": "string", "description": "Base URL of the Appwrite API, e.g. https://cloud.appwrite.io/v1 or https://your-self-hosted.io/v1" }, "appwriteProjectId": { "title": "Project ID", "type": "string", "description": "The Appwrite project ID (visible in console URL)." }, "appwriteApiKey": { "title": "API key", "type": "string", "description": "Server API key with scopes: databases.read, collections.read, projects.read. Used only for this run, never persisted." }, "activeProbe": { "title": "Active probe (anonymous fetch)", "type": "boolean", "description": "When ON (default), the auditor sends an anonymous GET against suspect collections to PROVE the leak live (not just infer from permission metadata).", "default": true }, "outputFormat": { "title": "Output format", "enum": [ "html-report", "json", "both" ], "type": "string", "description": "html-report saves a self-contained HTML to KV store key REPORT. json pushes only structured rows to the dataset. both does both.", "default": "html-report" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```