# vibe-security-checker > Comprehensive security scanner for AI-generated and vibe-coded applications. Use this skill when reviewing, auditing, or validating code generated by AI tools (Cursor, Copilot, Claude Code, Replit, Lovable, Bolt, v0, etc.) for security vulnerabilities. Triggers on requests to check code security, audit AI-generated code, find vulnerabilities, security review, scan for risks, validate before deployment, or any mention of vibe coding security. Covers OWASP Top 10, injection flaws, authentication issues, supply chain risks, cloud misconfigurations, secrets exposure, and AI-specific vulnerabilities like prompt injection. - Author: Patrick André Gjøl - Repository: PardrickG/playflow - Version: 20260206092904 - Stars: 0 - Forks: 0 - Last Updated: 2026-02-06 - Source: https://github.com/PardrickG/playflow - Web: https://mule.run/skillshub/@@PardrickG/playflow~vibe-security-checker:20260206092904 --- --- name: vibe-security-checker description: Comprehensive security scanner for AI-generated and vibe-coded applications. Use this skill when reviewing, auditing, or validating code generated by AI tools (Cursor, Copilot, Claude Code, Replit, Lovable, Bolt, v0, etc.) for security vulnerabilities. Triggers on requests to check code security, audit AI-generated code, find vulnerabilities, security review, scan for risks, validate before deployment, or any mention of vibe coding security. Covers OWASP Top 10, injection flaws, authentication issues, supply chain risks, cloud misconfigurations, secrets exposure, and AI-specific vulnerabilities like prompt injection. --- # Vibe Security Checker Security validation for AI-generated code. 45% contains vulnerabilities (Veracode 2025), with 86% XSS and 88% log injection failure rates. ## Workflow 1. **Detect project** → `python3 scripts/detect_project.py ` 2. **Full scan** → `python3 scripts/scan_security.py --full` 3. **Check dependencies** → `python3 scripts/check_dependencies.py ` 4. **Generate report** → `python3 scripts/generate_report.py ` ## Quick Commands ```bash # Full security audit python3 scripts/scan_security.py . --full # Specific checks python3 scripts/scan_security.py . --check secrets python3 scripts/scan_security.py . --check injection python3 scripts/scan_security.py . --check auth python3 scripts/scan_security.py . --check xss python3 scripts/scan_security.py . --check crypto python3 scripts/scan_security.py . --check cloud # Pre-commit gate (fails on critical findings) python3 scripts/scan_security.py . --severity critical --fail-on-findings ``` ## Priority Matrix | Priority | Categories | Action | |----------|-----------|--------| | **CRITICAL** | Secrets, SQL/Cmd injection, Auth bypass | Block deployment | | **HIGH** | XSS, Weak crypto, Missing RLS | Fix before prod | | **MEDIUM** | Input validation, Error exposure, CORS | Fix soon | | **LOW** | Logging gaps, Minor hardening | Schedule fix | ## Reference Files Consult these for detailed patterns and remediation: | Reference | Content | |-----------|---------| | [secrets.md](references/secrets.md) | Hardcoded credentials, API keys, common AI-generated secrets | | [injection.md](references/injection.md) | SQL, command, XSS, log injection patterns | | [auth.md](references/auth.md) | Authentication, authorization, session, RLS | | [crypto.md](references/crypto.md) | Weak algorithms, insecure random, key management | | [supply-chain.md](references/supply-chain.md) | Package hallucination, vulnerable deps, malicious packages | | [infrastructure.md](references/infrastructure.md) | Cloud misconfig, CORS, Firebase/Supabase security | | [operations.md](references/operations.md) | Logging, error handling, monitoring gaps | | [ai-specific.md](references/ai-specific.md) | AI tool patterns, slopsquatting, common AI mistakes | | [guardrails.md](references/guardrails.md) | Complete rule database with detection logic | ## Manual Review Checklist After automated scan, verify: 1. All protected routes actually enforce authentication 2. Authorization checks validate ownership, not just auth status 3. All user inputs are parameterized in database queries 4. File uploads validated server-side (type, size) 5. All secrets use environment variables 6. Error responses don't expose internals ## Claude Code Integration When working in Claude Code: 1. Run `--full` scan before implementing features 2. Address CRITICAL findings immediately 3. Create tracked issues for HIGH/MEDIUM 4. Re-scan after fixes to verify remediation