PocketBase Security Audit - Find Open API Rules Free
Pricing
Pay per usage
PocketBase Security Audit - Find Open API Rules Free
Audit any PocketBase instance for collections with empty (public) list/view/create/update/delete rules and over-permissive endpoints. Active anon fetch confirms live leaks. HTML report with paste-ready collection rule snippets. Free.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
Renzo Madueno
Actor stats
0
Bookmarked
1
Total users
0
Monthly active users
6 minutes ago
Last modified
Categories
Share
PocketBase Security Auditor
If any of your PocketBase collection rules are empty (the default!) or use the @request.auth.id != "" pattern, anyone with a free account can read or modify every record in those collections right now. This actor finds those leaks in 30 seconds.
Scan any PocketBase instance for over-permissive API rules. Get a shareable HTML report. Active probe fetches data anonymously to PROVE leaks live, not just infer them.
Why this exists
PocketBase API rules are easy to write and easy to leave too open. The patterns I see over and over in production:
- Empty rule — leaving
listRuleblank means the collection is fully public. @request.auth.id != ""— looks restrictive but lets ANY logged-in user read or write the entire collection.trueliteral — leftover from local dev, evaluates to "always allow."
This actor surfaces all three across every collection in one click.
What it checks
| # | Check | Severity |
|---|---|---|
| 1 | API rule is empty (collection fully public) | CRITICAL |
| 2 | API rule is @request.auth.id != "" (any logged-in user passes) | HIGH |
| 3 | API rule contains true literal | HIGH |
| 4 | Auth collection has open signup + lax create rule | HIGH |
| 5 | OAuth2 misconfig | MEDIUM |
| 6 | Email auth without verification | MEDIUM |
Output
- HTML report (key
REPORT) — self-contained Tailwind + Chart.js. Top banner shows X of N suspected leaks confirmed live. Every finding has a fix snippet. - Dataset — every finding as a row.
- SUMMARY — counts + active-probe stats for monitoring pipelines.
How to get an admin password
You created one when you initialized PocketBase. Reset via the PB CLI on the host: ./pocketbase admin update <email> <new-password>.
The password is used only for this run. Never persisted.
Apply fixes
This actor never modifies your PocketBase instance. Each finding ships with a fix snippet you paste back into the PocketBase admin UI.
For an agent loop (audit + preview + apply + re-audit) inside Claude Code / Cursor / Cline, see the sibling MCP server: https://github.com/Perufitlife/pocketbase-security-mcp
Want a written report + Q&A support?
Free actor → you find leaks. $29 lite tier (top 3 critical fixes + written summary) or $99 full audit (every collection rule + 30-day Q&A + paste-ready bundle, 24h delivery). The CTA links inside the HTML report take you to Stripe.
License + source
MIT. Open source: https://github.com/Perufitlife/pocketbase-security-skill
