vibe-security
Agent skill that audits vibe-coded apps for common security vulnerabilities introduced by AI coding assistants
npx skills add https://github.com/raroque/vibe-security-skill --skill vibe-securityInstallez cette compétence avec la CLI et commencez à utiliser le flux de travail SKILL.md dans votre espace de travail.
Vibe Security - Agent Skill for AI Coding Assistants
An agent skill that helps secure vibe-coded apps - or honestly any app - from common security vulnerability patterns. Built by Chris Raroque (@raroque) in collaboration with my colleagues at Aloa.
AI assistants are great at building features fast but consistently get security wrong: hardcoding secrets, skipping row-level security, trusting client-submitted prices, storing tokens in localStorage. This skill catches those patterns before they ship.
Need help building AI apps, custom agents, or implementing AI at your company? Work with Chris and the team at Aloa.
Background
This skill was built specifically to address the security issues that keep showing up in vibe-coded applications. When you're building fast with AI, security fundamentals get skipped - and the AI assistants themselves are often the ones introducing the vulnerabilities. This skill gives your agent the knowledge to catch and prevent those patterns.
It uses the Agent Skills format, so it works with Claude Code, OpenAI Codex, and other compatible agents.
The security rules are organized as reference files that the agent loads based on what technologies your project uses. If you're using Supabase, it checks RLS policies. If you're using Stripe, it checks payment flows. If you're using React Native, it checks for secrets in the JS bundle. No wasted context on irrelevant checks.
Installing Vibe Security
Claude Code
npx skills add https://github.com/raroque/vibe-security-skill --skill vibe-security
If npx isn't available, install Node.js first: brew install node (macOS) or download from nodejs.org.
OpenAI Codex
npx skills add https://github.com/raroque/vibe-security-skill --skill vibe-security
Select "Codex" when prompted for the agent platform.
Manual Installation (Claude Code)
Clone this repo and copy the vibe-security/ folder to your project or global skills directory:
# Project-level (applies to one project)
cp -r vibe-security/ .claude/skills/vibe-security/
# Global (applies to all projects)
cp -r vibe-security/ ~/.claude/skills/vibe-security/
Using Vibe Security
Claude Code: Use /vibe-security to trigger a full security audit, or just ask naturally - "check my code for security issues", "is this safe?", "audit this project".
Codex: Use $vibe-security or describe what you need - "review this for vulnerabilities", "check my Supabase RLS".
The skill also activates automatically when you're writing or reviewing code that handles authentication, payments, database access, API keys, or user data.
What It Checks
| Category | What It Catches |
|---|---|
| Secrets & Env Vars | Hardcoded API keys, secrets in NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_ vars, missing .gitignore |
| Database Security | Disabled Supabase RLS, USING (true) policies, missing WITH CHECK, exposed sensitive fields, Firebase allow: if true rules, Convex missing auth |
| Auth & Authorization | jwt.decode() without verify, middleware-only auth, unprotected Server Actions, tokens in localStorage |
| Rate Limiting | Missing limits on auth/AI/email endpoints, client-tamperable rate counters, no billing caps |
| Payments | Client-submitted prices, missing webhook signature verification, stale subscription checks |
| Mobile | API keys in JS bundle, AsyncStorage for tokens, unsafe deep links, weak biometric auth |
| AI / LLM | Exposed AI API keys, no usage caps, prompt injection, unsafe output rendering |
| Deployment | Debug mode in production, exposed source maps, missing security headers, .git accessible |
| Data Access | SQL injection, Prisma operator injection, $queryRawUnsafe, mass assignment |
Contributing
Contributions, corrections, and improvements are very welcome! This is meant to be a community resource. If you've found a security anti-pattern that AI assistants keep introducing, please add it.
See CONTRIBUTING.md for guidelines.
License
Vibe Security is available under the MIT License. See LICENSE for details.
Created by Chris Raroque (@raroque) and the team at Aloa.