DiscordSign up
SKILLS.SH

vibe-security

Security audits for AI-generated code, catching vulnerabilities before they ship. Systematically checks nine vulnerability categories: secrets exposure, database access control, authentication, rate limiting, payments, mobile security, AI/LLM integration, deployment config, and input validation Prioritizes findings by severity (Critical → High → Medium → Low) with concrete exploit scenarios and before/after code fixes Designed specifically for "vibe-coded" apps where AI assistants commonly introduce flaws like client-side price manipulation, disabled database rules, and hardcoded API keys Skips irrelevant checks based on your tech stack; focuses only on genuine security issues with real-world impact

INSTALLATION
npx skills add https://github.com/raroque/vibe-security-skill --skill vibe-security
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$2b

-

Rate Limiting & Abuse Prevention — Ensure auth endpoints, AI calls, and expensive operations have rate limits. Verify rate limit counters can't be tampered with. See references/rate-limiting.md.

-

Payment Security — Check for client-side price manipulation, webhook signature verification, and subscription status validation. See references/payments.md.

-

Mobile Security — Verify secure token storage, API key protection via backend proxy, and deep link validation. See references/mobile.md.

-

AI / LLM Integration — Check for exposed AI API keys, missing usage caps, prompt injection vectors, and unsafe output rendering. See references/ai-integration.md.

-

Deployment Configuration — Verify production settings, security headers, source map exposure, and environment separation. See references/deployment.md.

-

Data Access & Input Validation — Check for SQL injection, ORM misuse, and missing input validation. See references/data-access.md.

If doing a partial review or generating code in a specific area, load only the relevant reference files.

Core Instructions

  • Report only genuine security issues. Do not nitpick style or non-security concerns.
  • When multiple issues exist, prioritize by exploitability and real-world impact.
  • If the codebase doesn't use a particular technology (e.g., no Supabase), skip that section entirely.
  • When generating new code, consult the relevant reference files proactively to avoid introducing vulnerabilities in the first place.
  • If you find a critical issue (exposed secrets, disabled RLS, auth bypass), flag it immediately at the top of your response — don't bury it in a long list.

Output Format

Organize findings by severity: CriticalHighMediumLow.

For each issue:

  • State the file and relevant line(s).
  • Name the vulnerability.
  • Explain what an attacker could do (concrete impact, not abstract risk).
  • Show a before/after code fix.

Skip areas with no issues. End with a prioritized summary.

Example Output

#### Critical

**lib/supabase.ts:3 — Supabase service_role key exposed in client bundle**

The service_role key bypasses all Row-Level Security. Anyone can extract it from the browser bundle and read, modify, or delete every row in your database.

// Before

const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_KEY!)

// After — use the anon key client-side; service_role belongs only in server-side code

const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!)

#### High

**app/api/checkout/route.ts:15 — Price taken from client request body**

An attacker can set any price (including $0.01) by modifying the request. Prices must be looked up server-side.

// Before

const session = await stripe.checkout.sessions.create({

  line_items: [{ price_data: { unit_amount: req.body.price } }]

})

// After — look up the price server-side

const product = await db.products.findUnique({ where: { id: req.body.productId } })

const session = await stripe.checkout.sessions.create({

  line_items: [{ price: product.stripePriceId }]

})

Summary

  • Service role key exposed (Critical): Anyone can bypass all database security. Rotate the key immediately and move it to server-side only.
  • Client-controlled pricing (High): Attackers can purchase at any price. Use server-side price lookup.

When Generating Code

These rules also apply proactively. Before writing code that touches auth, payments, database access, API keys, or user data, consult the relevant reference file to avoid introducing the vulnerability in the first place. Prevention is better than detection.

References

  • references/secrets-and-env.md — API keys, tokens, environment variable configuration, and .gitignore rules.
  • references/database-security.md — Supabase RLS, Firebase Security Rules, and Convex auth patterns.
  • references/authentication.md — JWT verification, middleware, Server Actions, and session management.
  • references/rate-limiting.md — Rate limiting strategies and abuse prevention.
  • references/payments.md — Stripe security, webhook verification, and price validation.
  • references/mobile.md — React Native and Expo security: secure storage, API proxy, deep links.
  • references/ai-integration.md — LLM API key protection, usage caps, prompt injection, and output sanitization.
  • references/deployment.md — Production configuration, security headers, and environment separation.
  • references/data-access.md — SQL injection prevention, ORM safety, and input validation.
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card