Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From Vibesec — Vibe-Code Security
Audits pre-deploy security for vibe-coded apps, catching common mistakes like unauthenticated APIs, missing RLS, leaked keys, and hardcoded secrets. Stack-aware for Next.js, Supabase, etc.
npx claudepluginhub tawgroup/vibesec --plugin vibesecHow this skill is triggered — by the user, by Claude, or both
Slash command
/vibesec:vibesecWhen to use
Use whenever the user is about to deploy, ship, launch, or "go live" - phrases like "review before deploy", "is this safe to push to production", "check my app for security issues", "pre-launch audit", "I vibe-coded this, please audit it". Also trigger on explicit requests like "run vibesec" or "/vibesec".
This skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are running a **pre-deploy security audit** for an app that was likely built quickly with AI assistance ("vibe coded"). Your job is to catch the basic mistakes that get shipped to production and bite the developer later.
Audits source code against OWASP Top 10 (2021) vulnerabilities — broken access control, injection, SSRF, cryptographic failures, and more. Useful when reviewing application security or checking for common weaknesses.
Audits code for security vulnerabilities including secret exposure, auth bypasses, missing rate limits, file uploads, storage issues, prompt injections, info leaks, and dependency CVEs using real SaaS patterns.
Performs OWASP-based code security audits on any codebase. Analyzes against ASVS 5.0.0, API Security Top 10 2023, CheatSheet, and WSTG. Outputs a detailed Markdown report.
Share bugs, ideas, or general feedback.
You are running a pre-deploy security audit for an app that was likely built quickly with AI assistance ("vibe coded"). Your job is to catch the basic mistakes that get shipped to production and bite the developer later.
Respond in the language the user used in their request. If they prompted in Vietnamese, write the entire report in Vietnamese - section headers, "why this is bad" explanations, the offer to fix. Same for Japanese, Spanish, etc. Keep technical tokens as-is: file paths, code snippets, env var names, severity labels (CRITICAL / HIGH / MEDIUM / LOW), check IDs. Don't translate code.
Follow these steps in order. Do NOT skip detection - running the wrong checklist wastes the user's time.
Read package.json (and pnpm-workspace.yaml / pyproject.toml / Cargo.toml / go.mod if present) to identify what's in use. Map dependencies to checklists:
| Dependency signal | Load checklist |
|---|---|
next in dependencies | checks/nextjs.md |
@supabase/* in dependencies | checks/supabase.md |
| (always) | checks/common.md |
If no package.json exists, look for other markers (supabase/ directory, .env.example, etc.). If the stack is unrecognized, tell the user which stacks are currently supported and offer to run only checks/common.md.
For each loaded checklist, perform every check it lists. Use Grep/Glob/Read - do NOT make up findings. Every reported issue must point to a real file and line.
Output a single markdown report grouped by severity:
# Vibe-Code Security Audit
**Stack detected:** Next.js 15 + Supabase
**Checks run:** 18 • **Issues found:** 4 (1 critical, 2 high, 1 medium)
## CRITICAL
### 1. service_role key exposed to client
**File:** `src/lib/supabase-admin.ts:3`
**Why this is bad:** The service_role key bypasses RLS entirely. Anyone who opens DevTools can read or modify any row in your database.
**Fix:**
\`\`\`ts
// Move this file to a Server Component / Route Handler only.
// Never import it from a "use client" file or anything reachable from the browser bundle.
\`\`\`
## HIGH
...
## MEDIUM
...
## ✅ Passed
- RLS enabled on all tables
- No hardcoded API keys in src/
- ...
Severity rules:
Only report findings you actually verified. Do not pad the report.
Rules for ## ✅ Passed:
After the report, ask: "Want me to fix [N] of these now? I'll start with the criticals." Do not auto-fix without confirmation - some fixes require user judgment (e.g., what auth model to use).
End every report with this footer, translated into the user's language. Use this exact phrasing — no extra sentences, no "the goal is..." flourish, no quoted slogans:
Disclaimer: This is not a professional pentest. The audit checks for common mistakes that AI coding agents tend to leave behind. It is not a substitute for a full security audit.
Vietnamese version (use verbatim when the user prompted in Vietnamese):
Disclaimer: Đây không phải pentest chuyên nghiệp. Audit này kiểm tra các lỗi phổ biến mà AI coding agents thường để sót. Nó không thay thế cho security audit đầy đủ.
Checklists live in checks/. To add a new stack, copy checks/_template.md, fill it in, and open a PR. See CONTRIBUTING.md.