Vibe Security Skill
Run a focused security pass on AI-assisted code for secrets, auth, payments, and stack-specific mistakes before you ship or expose production data.
Overview
Vibe Security Skill is an agent skill most often used in Ship (also Build integrations) that audits vibe-coded apps for AI-introduced security anti-patterns.
Install
npx skills add https://github.com/aradotso/security-skills --skill vibe-security-skillWhat is this skill?
- Stack-aware audits using reference files for Supabase, Stripe, React Native, and related vibe-coded stacks
- Detects hardcoded API keys, missing RLS, insecure auth, and client-submitted payment amounts
- Flags tokens in localStorage, missing rate limits, and exposed mobile bundle secrets
- Trigger phrases include audit my code, scan for hardcoded secrets, and validate my auth implementation
- Designed for patterns AI coding assistants commonly introduce in generated apps
Adoption & trust: 570 installs on skills.sh; 1 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You shipped fast with an AI assistant and are unsure whether secrets, auth, RLS, or payments are actually safe in production.
Who is it for?
Indie builders on Supabase, Stripe, or React Native stacks who want a security checklist aligned to AI-generated code habits.
Skip if: Regulated enterprises needing formal compliance attestation or full pen-test engagement—use dedicated security firms instead.
When should I use this skill?
User asks to audit for security issues, check vulnerabilities, review RLS, validate auth, scan secrets, or run a vibe security audit.
What do I get? / Deliverables
You get a structured audit pass highlighting stack-relevant vulnerabilities so you can fix issues before release or before widening beta access.
- Prioritized findings on secrets, RLS, auth, payments, and rate limiting gaps
- Stack-scoped remediation guidance tied to reference audit rules
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Shipping is where you gate risk: this skill is shelved under ship/security because it exists to catch exploitable patterns before users touch the app. Security subphase covers vulnerability hunting and policy validation—not generic code style—matching RLS, auth, and payment flow reviews.
Where it fits
Run an audit after the agent adds Stripe checkout and Supabase tables before opening signups.
Validate auth and RLS right after wiring OAuth and client SDK calls.
Re-scan when you merge a large AI-generated PR that touches env vars or API routes.
How it compares
Use a vibe-coded vulnerability checker instead of generic lint rules that miss RLS and payment-trust bugs.
Common Questions / FAQ
Who is vibe-security-skill for?
Solo and small-team builders using Claude Code or similar agents who need practical audits on auth, payments, and datastore policies.
When should I use vibe-security-skill?
In Ship before launch, in Build after wiring Supabase or Stripe, and in Operate when you suspect regressions after a large agent refactor.
Is vibe-security-skill safe to install?
It guides read-oriented security review; confirm install source and read the Security Audits panel on this Prism page before granting repo access.
SKILL.md
READMESKILL.md - Vibe Security Skill
# Vibe Security Skill > Skill by [ara.so](https://ara.so) — Security Skills collection. This skill provides expertise in using the Vibe Security tool to audit vibe-coded applications for common security vulnerabilities that AI coding assistants frequently introduce. It helps identify hardcoded secrets, missing RLS policies, insecure auth patterns, payment vulnerabilities, and other security anti-patterns. ## What Vibe Security Does Vibe Security is an agent skill that scans codebases for security vulnerability patterns common in AI-generated code. It uses technology-specific reference files to audit only relevant parts of your stack (Supabase, Stripe, React Native, etc.), catching issues like: - Hardcoded API keys and secrets - Disabled or missing Row-Level Security (RLS) policies - Insecure authentication patterns - Client-submitted payment amounts - Missing rate limiting - Tokens stored in localStorage - Exposed secrets in mobile bundles - AI API keys without usage caps ## Installation ### For Claude Code ```bash npx skills add https://github.com/raroque/vibe-security-skill --skill vibe-security ``` ### For OpenAI Codex ```bash npx skills add https://github.com/raroque/vibe-security-skill --skill vibe-security ``` Select "Codex" when prompted. ### Manual Installation ```bash # Project-level git clone https://github.com/raroque/vibe-security-skill.git cp -r vibe-security-skill/vibe-security/ .claude/skills/vibe-security/ # Global installation cp -r vibe-security-skill/vibe-security/ ~/.claude/skills/vibe-security/ ``` ## Usage ### Triggering Security Audits **Claude Code:** ``` /vibe-security ``` Or use natural language: - "check my code for security issues" - "is this safe?" - "audit this Supabase setup" **Codex:** ``` $vibe-security ``` ### Automatic Activation The skill automatically activates when working with: - Authentication flows - Payment processing - Database queries - API key configuration - User data handling - Environment variables ## Key Security Checks ### 1. Secrets & Environment Variables **Bad Pattern:** ```typescript // ❌ Hardcoded secret const supabase = createClient( 'https://xxx.supabase.co', 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' ) // ❌ Exposed in client bundle const OPENAI_API_KEY = 'sk-proj-...' ``` **Good Pattern:** ```typescript // ✅ Environment variable const supabase = createClient( process.env.NEXT_PUBLIC_SUPABASE_URL!, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY! ) // ✅ Server-side only const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY // Not NEXT_PUBLIC_ }) ``` ### 2. Supabase Row-Level Security **Bad Pattern:** ```sql -- ❌ RLS disabled CREATE TABLE user_data ( id uuid, user_id uuid, sensitive_data text ); -- No ALTER TABLE ... ENABLE ROW LEVEL SECURITY -- ❌ Allows everything CREATE POLICY "allow_all" ON user_data FOR ALL USING (true); ``` **Good Pattern:** ```sql -- ✅ RLS enabled with proper policies CREATE TABLE user_data ( id uuid DEFAULT gen_random_uuid() PRIMARY KEY, user_id uuid REFERENCES auth.users NOT NULL, sensitive_data text ); ALTER TABLE user_data ENABLE ROW LEVEL SECURITY; CREATE POLICY "users_select_own" ON user_data FOR SELECT USING (auth.uid() = user_id); CREATE POLICY "users_insert_own" ON user_data FOR INSERT WITH CHECK (auth.uid() = user_id); CREATE POLICY "users_update_own" ON user_data FOR UPDATE USING (auth.uid() = user_id) WITH CHECK (auth.uid() = user_id); ``` ### 3. Authentication & Authorization **Bad Pattern:** ```typescript // ❌