vibe-security-skill
This is an AI agent skill designed to audit common security vulnerabilities in applications developed by AI coding assistants. AI assistants, when rapidly building features, often introduce security issues such as hardcoded keys, bypassing row-level security, trusting client-side data, or storing sensitive information in localStorage. This skill empowers your AI agent to identify and prevent these vulnerabilities, ensuring code meets higher security standards before release, applicable to security audits of any application.
git clone https://github.com/raroque/vibe-security-skill.gitBefore / After Comparison
1 组Without this skill, AI coding assistants might introduce vulnerabilities such as hardcoded keys or skipped security checks during rapid development. Manual auditing is time-consuming and prone to oversight, leading to security issues being discovered only after application release, which increases remediation costs and risks.
With this skill integrated, AI agents can automatically identify and flag common security vulnerability patterns introduced by AI coding assistants. This significantly accelerates the security auditing process, allowing issues to be discovered and fixed immediately before code release, thereby substantially enhancing overall application security.
description SKILL.md
An agent skill that helps secure vibe-coded apps - or honestly any app - from common security vulnerability patterns. Built by Chris Raroque (@raroque) in collaboration with my colleagues at Aloa.
AI assistants are great at building features fast but consistently get security wrong: hardcoding secrets, skipping row-level security, trusting client-submitted prices, storing tokens in localStorage. This skill catches those patterns before they ship.
Need help building AI apps, custom agents, or implementing AI at your company? Work with Chris and the team at Aloa.
Background
This skill was built specifically to address the security issues that keep showing up in vibe-coded applications. When you're building fast with AI, security fundamentals get skipped - and the AI assistants themselves are often the ones introducing the vulnerabilities. This skill gives your agent the knowledge to catch and prevent those patterns.
It uses the Agent Skills format, so it works with Claude Code, OpenAI Codex, and other compatible agents.
The security rules are organized as reference files that the agent loads based on what technologies your project uses. If you're using Supabase, it checks RLS policies. If you're using Stripe, it checks payment flows. If you're using React Native, it checks for secrets in the JS bundle. No wasted context on irrelevant checks.
Installing Vibe Security
Claude Code
npx skills add https://github.com/raroque/vibe-security-skill --skill vibe-security
If npx isn't available, install Node.js first: brew install node (macOS) or download from nodejs.org.
OpenAI Codex
npx skills add https://github.com/raroque/vibe-security-skill --skill vibe-security
Select "Codex" when prompted for the agent platform.
Manual Installation (Claude Code)
Clone this repo and copy the vibe-security/ folder to your project or global skills directory:
# Project-level (applies to one project)
cp -r vibe-security/ .claude/skills/vibe-security/
# Global (applies to all projects)
cp -r vibe-security/ ~/.claude/skills/vibe-security/
Using Vibe Security
Claude Code: Use /vibe-security to trigger a full security audit, or just ask naturally - "check my code for security issues", "is this safe?", "audit this project".
Codex: Use $vibe-security or describe what you need - "review this for vulnerabilities", "check my Supabase RLS".
The skill also activates automatically when you're writing or reviewing code that handles authentication, payments, database access, API keys, or user data.
What It Checks
| Category | What It Catches |
|---|---|
| Secrets & Env Vars | Hardcoded API keys, secrets in NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_ vars, missing .gitignore |
| Database Security | Disabled Supabase RLS, USING (true) policies, missing WITH CHECK, exposed sensitive fields, Firebase allow: if true rules, Convex missing auth |
| Auth & Authorization | jwt.decode() without verify, middleware-only auth, unprotected Server Actions, tokens in localStorage |
| Rate Limiting | Missing limits on auth/AI/email endpoints, client-tamperable rate counters, no billing caps |
| Payments | Client-submitted prices, missing webhook signature verification, stale subscription checks |
| Mobile | API keys in JS bundle, AsyncStorage for tokens, unsafe deep links, weak biometric auth |
| AI / LLM | Exposed AI API keys, no usage caps, prompt injection, unsafe output rendering |
| Deployment | Debug mode in production, exposed source maps, missing security headers, .git accessible |
| Data Access | SQL injection, Prisma operator injection, $queryRawUnsafe, mass assignment |
Contributing
Contributions, corrections, and improvements are very welcome! This is meant to be a community resource. If you've found a security anti-pattern that AI assistants keep introducing, please add it.
See CONTRIBUTING.md for guidelines.
License
Vibe Security is available under the MIT License. See LICENSE for details.
Created by Chris Raroque (@raroque) and the team at Aloa.
forumUser Reviews (0)
Write a Review
No reviews yet
Statistics
User Rating
Rate this Skill