Catch the security vulnerabilities that AI introduces β before they ship.
Vibe Security is an agent skill that audits your codebase for security vulnerabilities that AI coding assistants commonly introduce β especially in fast-paced, AI-assisted ("vibe-coded") projects.
AI tools are incredible at building features quickly. But they consistently get security wrong:
| β What AI Gets Wrong | π₯ Real-World Consequence |
|---|---|
| Hardcoding API keys | Secrets extracted from public repo |
| Skipping Supabase RLS | Entire database readable by anyone |
| Trusting client-submitted prices | Attackers buy anything for $0.01 |
Using jwt.decode() instead of jwt.verify() |
Authentication completely bypassed |
Storing tokens in localStorage |
Trivially stolen via XSS |
| Sending AI API keys to the frontend | Billing account drained |
This skill gives your AI assistant the knowledge to catch and prevent these patterns automatically.
npx skills add https://github.com/azizaeffendi/vibe-security-skill --skill vibe-securityIf
npxis not available, install Node.js first:
- macOS:
brew install node- Windows/Linux: Download from nodejs.org
npx skills add https://github.com/azizaeffendi/vibe-security-skill --skill vibe-securitySelect Codex when prompted for the agent platform.
# Clone the repository
git clone https://github.com/azizaeffendi/vibe-security-skill.git
# Project-level (applies to one project only)
cp -r vibe-security-skill/vibe-security/ .claude/skills/vibe-security/
# Global (applies to all your projects)
cp -r vibe-security-skill/vibe-security/ ~/.claude/skills/vibe-security/Use the slash command for a full security audit:
/vibe-security
Or ask naturally β the skill activates automatically:
"Check my code for security issues"
"Is this auth flow safe?"
"Audit my Supabase RLS policies"
"Can someone hack this checkout flow?"
"Review this for vulnerabilities"
$vibe-security
Tip
The skill also activates automatically when you write or review code that touches authentication, payments, database access, API keys, or user data β even without an explicit command.
| Category | What It Catches | Key Platforms |
|---|---|---|
| π Secrets & Env Vars | Hardcoded API keys, secrets leaked via NEXT_PUBLIC_ / VITE_ / EXPO_PUBLIC_, missing .gitignore |
All frameworks |
| ποΈ Database Security | Disabled RLS, USING (true) policies, missing WITH CHECK, exposed sensitive fields, allow: if true rules |
Supabase, Firebase, Convex |
| π Authentication | jwt.decode() without verify, middleware-only auth, unprotected Server Actions, tokens in localStorage |
Next.js, JWT, OAuth |
| π¦ Rate Limiting | Missing limits on auth/AI/email endpoints, client-tamperable rate counters, no billing caps | Upstash Redis |
| π³ Payments | Client-submitted prices, missing webhook signature verification, stale subscription status checks | Stripe |
| π± Mobile Security | API keys in JS bundle, AsyncStorage for tokens, unsafe deep links, weak biometric auth |
React Native, Expo |
| π€ AI / LLM Integration | Exposed AI API keys, no spending caps, prompt injection vectors, unsafe LLM output rendering | OpenAI, Anthropic, Gemini |
| π Deployment | Debug mode in production, exposed source maps, missing security headers, .git directory accessible |
Vercel, AWS, GCP |
| π’οΈ Data Access | SQL injection, Prisma operator injection, $queryRawUnsafe, mass assignment vulnerabilities |
Prisma, PostgreSQL, MySQL |
The skill loads only the reference files relevant to your tech stack. Using Supabase? It checks RLS. Using Stripe? It checks payment flows. No wasted context.
vibe-security/
βββ SKILL.md β Core skill definition & audit process
βββ references/
βββ secrets-and-env.md β API keys, env var prefixes, .gitignore
βββ database-security.md β Supabase RLS, Firebase rules, Convex auth
βββ authentication.md β JWT, middleware, Server Actions, sessions
βββ rate-limiting.md β Rate limits & abuse prevention
βββ payments.md β Stripe, webhooks, price validation
βββ mobile.md β React Native / Expo security
βββ ai-integration.md β LLM key protection, prompt injection
βββ deployment.md β Production config, security headers
βββ data-access.md β SQL injection, ORM safety
Important
The core principle: Never trust the client. Every price, user ID, role, subscription status, and rate limit counter must be validated server-side. If it exists only in the browser or request body, an attacker controls it.
When you run /vibe-security, the skill produces structured findings organized by severity:
#### π΄ Critical
`lib/supabase.ts:3` β service_role key exposed in client bundle
The service_role key bypasses all Row-Level Security. Anyone can
extract it from the browser bundle and read, write, or delete
every row in your database.
Before const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_KEY!)
After const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!)
#### π High
`app/api/checkout/route.ts:15` β price taken from client request body
An attacker can purchase at any price (including $0.01) by
modifying the request. Prices must be looked up server-side.
Contributions are welcome! This is a community resource. If you have found a security anti-pattern that AI assistants keep introducing, please add it.
- Found a new vulnerability pattern? β Open an Issue
- Found incorrect guidance? β Report a Bug
- Want to add a new platform? β Request a Feature
See CONTRIBUTING.md for detailed guidelines.
MIT License β see LICENSE for details.
Made with β€οΈ by azizaeffendi
If this skill helped you catch a vulnerability, consider giving it a β