AgentSkillsCN

vibe-security-audit

针对AI辅助(Vibe编码)项目中常见的安全漏洞,对代码库进行全面安全审计。本工具提供30项检查清单,涵盖敏感信息泄露、注入攻击、身份认证配置错误、CORS问题、依赖库漏洞,以及生产环境就绪度等关键领域。当您需要审查代码的安全隐患、为部署做准备,或在用户提到“安全审计”“漏洞检测”“Vibe编码安全”时,此工具将助您快速发现问题、防患于未然。

SKILL.md
--- frontmatter
name: vibe-security-audit
description: Audits codebases for security vulnerabilities common in AI-assisted (vibe coded) projects. Runs a 30-point checklist covering secrets exposure, injection attacks, auth misconfig, CORS, dependency vulnerabilities, and production readiness. Use when reviewing code for security issues, preparing for deployment, or when the user mentions security audit, vulnerability check, or vibe coding security.
license: MIT
metadata:
  author: Kedasha | @itsthatladydev
  version: "3.0"

Vibe Security Audit

Perform a 30-point security audit on the target code. If an argument is provided, focus on $ARGUMENTS. Otherwise, audit the entire project.

Contents

Step 1: Detect Tech Stack

Identify what to check by examining these files:

DetectLook for
Frameworknext.config.*, nuxt.config.*, astro.config.*, vite.config.*
Package managerpackage.json, requirements.txt, go.mod, Gemfile
Databaseprisma/, drizzle.config.*, supabase/, firebase.json
AuthImports: @clerk, next-auth, @supabase/auth, @auth0, lucia
StorageImports: @aws-sdk/client-s3, @supabase/storage, @google-cloud/storage
AI APIsImports: openai, @anthropic-ai/sdk, @google/generative-ai
PaymentImports: stripe, @paddle/paddle-node
EmailImports: resend, @sendgrid/mail, nodemailer
Deploymentvercel.json, netlify.toml, fly.toml, Dockerfile

Skip checks that don't apply to the detected stack.

Step 2: Run Audit

Copy this checklist and check off items as you complete them:

code
Audit Progress:
- [ ] Step 1: Detect tech stack
- [ ] Step 2a: Run critical checks (1, 3, 5, 6, 11) — see checks/critical.md
- [ ] Step 2b: Run standard checks (2, 4, 7-10, 12-20) — see checks/standard.md
- [ ] Step 2c: Run production checks (21-30) — see checks/production.md
- [ ] Step 3: Calculate score and compile report

Run critical checks first — read checks/critical.md and execute all 5 checks before proceeding.

Then read checks/standard.md and checks/production.md for remaining checks. Skip any that don't apply to the detected stack.

Step 3: Score and Report

Severity Scale

ScoreLevelAction
10/10CriticalFix before deploying
8-9/10HighFix within 24 hours
6-7/10MediumFix within 1 week
4-5/10LowFix when convenient
1-3/10InformationalConsider addressing

Project score = 100 minus sum of severity scores for all issues found (minimum 0).

ScoreRating
90-100Excellent
70-89Good — minor issues
50-69Fair — needs attention
30-49Poor — significant risk
0-29Critical — do not deploy

Output Format

markdown
# Security Audit Report

## Detected Tech Stack
- **Framework**: [detected]
- **Database**: [detected]
- **Auth**: [detected]
- **Deployment**: [detected]
- **Other**: [AI APIs, payment, email, storage if detected]

## Summary
[1-2 sentence overview]

**Project Score**: [X/100] — [Rating]
**Checks Run**: [X/30]
**Issues Found**: [count]

## Quick Wins (fixable in under 10 minutes)
| # | Issue | Severity | Fix Time | Fix |
|---|-------|----------|----------|-----|
| 1 | [issue] | [X/10] | [time] | [one-line fix] |

## Critical Issues (Severity 8-10)
- **[Check Name]** (Severity: X/10)
  - File: [file:line]
  - Pattern matched: [what was found]
  - Fix: [specific remediation]

## High Priority (Severity 6-7)
[Same format]

## Medium Priority (Severity 4-5)
[Same format]

## Low Priority (Severity 1-3)
[Same format]

## Passed Checks
[Check number and name for each passing check]

## Not Applicable
[Check number, name, and reason skipped]

Reference exact files and line numbers. Show which pattern matched. Provide actionable fix instructions for every issue.