Z-Audit
Security auditing for the vibe-coding era
Z-Audit is a comprehensive security audit skill for Claude Code that auto-detects your tech stack and runs targeted vulnerability checks. Built for developers who ship fast and need to find security holes before someone else does.
Why Z-Audit?
2026 is the year of vibe-coding. Cursor, Claude, Lovable, Codex - everyone's shipping faster than ever. But speed often means security gets overlooked.
Z-Audit was born from a real security audit where we found:
- Hardcoded passwords in frontend JavaScript
- API endpoints with zero authentication
- API keys exposed in bundles
- Full CRUD access to production databases
- Calendar data with Zoom passwords exposed
If you've vibe-coded your way to production, you probably need this.
Quick Start
Installation
Option 1: Plugin Marketplace (Recommended)
# In Claude Code
/plugin marketplace add zm2231/z-audit
/plugin install z-audit@z-audit-marketplace
Option 2: Manual Install
git clone https://github.com/zm2231/z-audit.git
cd z-audit
./install.sh
Usage
# Audit a live site
/z-audit https://myapp.vercel.app https://api.myapp.workers.dev
# Audit local codebase
/z-audit ./my-project
# Audit current directory
/z-audit local
What It Checks
Phase 0: Stack Detection
Automatically detects your tech stack before running checks:
- Frontend framework (React, Vue, Svelte, Next.js, Nuxt, etc.)
- Hosting platform (Vercel, Netlify, Cloudflare Pages)
- Backend type (Cloudflare Workers, Vercel Functions, Express, Hono)
- Database (Supabase, Firebase, Postgres, MongoDB)
- Auth solution (or lack thereof)
Phase 1: Secrets & Credentials
Scans for hardcoded secrets in frontend bundles:
- API keys (OpenAI, Stripe, AWS, GitHub, Google, Slack)
- Hardcoded passwords
- JWTs and auth tokens
- Supabase/Firebase credentials
- Generic high-entropy strings
Phase 2: Authentication & Authorization
- Client-side auth bypasses (localStorage manipulation)
- API endpoints without authentication
- Auth bypass techniques (null tokens, malformed headers)
- IDOR (Insecure Direct Object Reference)
- Role escalation
Phase 3: API Security
- CRUD access without authentication
- Input validation (SQL injection, NoSQL injection, XSS)
- Rate limiting
- Error message information leakage
Phase 4: Infrastructure-Specific
| Platform | Checks |
|---|
| Cloudflare Workers | Secrets list, KV namespaces, D1 databases, worker source code |
| Vercel | Exposed .env files, source maps, API routes |
| Supabase | RLS policies, anon key permissions, storage buckets |
| Firebase | Firestore rules, storage rules, direct database access |
Phase 5: Security Headers & CORS
- Missing security headers (CSP, HSTS, X-Frame-Options)
- CORS misconfiguration
Phase 6: Dependencies
- Known vulnerabilities (npm audit, pip-audit)
- Outdated packages
Phase 7: Data Exposure
- PII in API responses
- Verbose error messages with stack traces
Report Format
Z-Audit generates a structured report with severity levels:
# Z-Audit Security Report
**Target:** https://myapp.vercel.app
**Date:** 2026-01-16
**Stack:** Next.js + Supabase + Cloudflare Workers
## Executive Summary
Critical vulnerabilities found. API has no authentication,
exposing all user data. Immediate action required.
## Critical Findings
### C1: Hardcoded Password in Frontend
- **Location:** /assets/index-abc123.js
- **Issue:** Password in plain text
- **Impact:** Anyone can authenticate
- **Fix:** Move validation server-side
## High Findings
...
## Medium Findings
...
## What's Secure
- HTTPS enforced
- No SQL injection vulnerabilities found
## Action Plan
1. **Immediate:** Add API authentication
2. **This week:** Remove hardcoded secrets
3. **This month:** Implement rate limiting
Severity Levels
| Level | Meaning | Examples |
|---|
| Critical | Immediate exploitation possible | Hardcoded passwords, no API auth, exposed secrets |
| High | Significant risk | Exposed API keys, IDOR, missing auth on some routes |
| Medium | Should fix soon | Verbose errors, weak rate limiting, missing headers |
| Low | Best practice | Outdated deps (no exploits), missing CSP |
Project Structure
z-audit/
├── .claude-plugin/
│ ├── plugin.json # Plugin manifest
│ └── marketplace.json # Marketplace catalog
├── commands/
│ └── z-audit.md # Slash command
├── agents/
│ └── z-audit.md # Subagent definition
├── skills/
│ └── z-audit/
│ └── skill.md # Full audit methodology
├── examples/
│ └── sample-report.md # Example report
├── install.sh # Manual installer
└── README.md
Three Ways to Use Z-Audit
