Ultra Thermo Nuclear VibeCoding Security Review โ Agent Skill
Core Principle
Never trust the client. Every price, user ID, role, subscription status, feature flag, and rate limit counter must be validated or enforced server-side. If it exists only in the browser, mobile bundle, or request body, an attacker controls it.
Additional principles โ see core/principles.md:
- Defense in depth: never rely on a single security control
- Fail securely: when something breaks, deny access (fail closed)
- Least privilege: grant minimum permissions necessary
- Input validation: never trust user input โ validate everything server-side
- Output encoding: encode data for the context it renders in
Operating Modes
Mode 1: AUDIT (post-hoc analysis)
Triggered by: "run a security audit", "check this for vulnerabilities", "vibe security audit", "is this safe?", or any explicit request to review existing code.
Process:
- Detect tech stack (see Step 1 below)
- Run the 50-point checklist โ see
core/audit-process.md - Calculate score and compile report โ see
core/output-format.md - Load relevant vulnerability references and stack modules as needed
Mode 2: PREVENTIVE (during code generation)
Triggered by: writing or reviewing code that touches auth, payments, database access, API keys, secrets, user data, or file uploads โ even if user does not mention security.
Process:
- Identify which security domain applies to the code being written
- Consult the relevant reference file(s) BEFORE generating code
- Apply secure patterns from the start
- Add inline comments explaining security decisions when non-obvious
- Flag any security trade-offs to the user
Step 1: Detect Tech Stack
Identify the project's technologies by examining these files:
| Detect | Look for |
|---|---|
| Framework | next.config.*, nuxt.config.*, astro.config.*, vite.config.*, angular.json, svelte.config.* |
| Package manager | package.json, requirements.txt, go.mod, Gemfile, Cargo.toml, pubspec.yaml |
| Database | prisma/, drizzle.config.*, supabase/, firebase.json, convex/ |
| Auth | Imports: @clerk, next-auth, @supabase/auth, @auth0, lucia, passport, firebase/auth |
| Storage | Imports: @aws-sdk/client-s3, @supabase/storage, @google-cloud/storage |
| AI APIs | Imports: openai, @anthropic-ai/sdk, @google/generative-ai, langchain, @ai-sdk |
| Payment | Imports: stripe, @paddle/paddle-node, @lemonsqueezy |
Imports: resend, @sendgrid/mail, nodemailer | |
| GraphQL | schema.graphql, imports: @apollo/server, graphql-yoga, type-graphql |
| Mobile | app.json (Expo), react-native.config.js, capacitor.config.* |
| Deployment | vercel.json, netlify.toml, fly.toml, Dockerfile, docker-compose.*, .github/workflows/ |
| Edge Runtime | wrangler.toml, edge runtime directives in source |
Skip checks that don't apply to the detected stack.
Step 2: Run Audit
Load the relevant checklist files and execute:
Audit Progress:
- [ ] Step 1: Detect tech stack
- [ ] Step 2a: Run critical checks (1-15) โ see checklists/critical-15.md
- [ ] Step 2b: Run standard checks (16-40) โ see checklists/standard-25.md
- [ ] Step 2c: Run production checks (41-50) โ see checklists/production-10.md
- [ ] Step 3: Calculate score and compile report โ see core/output-format.md
Run critical checks first โ read checklists/critical-15.md and execute all checks before proceeding.
For each check, consult the relevant reference files:
- Vulnerability details โ
vulnerabilities/*.md - Stack-specific patterns โ
stack/*.md - Production readiness โ
production/*.md
Severity Scale
| Score | Level | Action Required |
|---|---|---|
| 10/10 | Critical | Fix before deploying |
| 8-9/10 | High | Fix within 24 hours |
| 6-7/10 | Medium | Fix within 1 week |
| 4-5/10 | Low | Fix when convenient |
| 1-3/10 | Informational | Consider addressing |
Project score = 100 minus sum of severity scores for all issues found (minimum 0).
| Score | Rating |
|---|---|
| 90-100 | โ Excellent |
| 70-89 | โ ๏ธ Good โ minor issues |
| 50-69 | ๐ก Fair โ needs attention |
| 30-49 | ๐ Poor โ significant risk |
| 0-29 | ๐ด Critical โ do not deploy |
Step 3: Output Report
Use the format defined in core/output-format.md. Key requirements:
- Reference exact files and line numbers
- Show which pattern matched for each finding
- Provide before/after code diffs for every issue
- Include Quick Wins section (fixable in < 10 minutes)
- End with prioritized summary
Reference Index
Core
core/principles.mdโ Security principles and defense-in-depth strategiescore/audit-process.mdโ 50-point checklist routing and execution ordercore/output-format.mdโ Report template with scoring
Vulnerability Knowledge Base
vulnerabilities/injection.mdโ SQL injection, XSS, command injection, LDAP injectionvulnerabilities/access-control.mdโ IDOR, privilege escalation, mass assignmentvulnerabilities/authentication.mdโ JWT, OAuth 2.0, PKCE, session management, password securityvulnerabilities/csrf-ssrf.mdโ CSRF, SSRF, open redirect (with bypass technique tables)vulnerabilities/file-upload.mdโ Magic bytes, polyglot files, ZIP slip, SVG XSSvulnerabilities/cryptography.mdโ Encryption, hashing, key management, nonce reusevulnerabilities/race-conditions.mdโ TOCTOU, double-spend, mutex patterns
Stack-Specific Modules
stack/supabase.mdโ RLS policies, auth, storage, edge functionsstack/firebase.mdโ Security Rules, Firestore, authstack/nextjs.mdโ Server Actions, Middleware, Route Handlers, App Routerstack/stripe-payments.mdโ Webhooks, price validation, subscription flowsstack/react-native.mdโ Secure storage, API proxy, deep linksstack/ai-llm.mdโ API key protection, prompt injection, usage caps, output sanitizationstack/graphql.mdโ Introspection, depth limiting, batching, persisted queriesstack/docker-cicd.mdโ Container security, pipeline hardening
Production Readiness
production/security-headers.mdโ CSP, HSTS, X-Frame-Options, Permissions-Policyproduction/deployment.mdโ Source maps, env separation, debug endpointsproduction/compliance.mdโ GDPR, CCPA, account deletion, data retentionproduction/observability.mdโ Logging security, PII sanitization, monitoringproduction/dependency-audit.mdโ Ghost packages, typosquatting, supply chain attacks
Executable Checklists
checklists/critical-15.mdโ 15 critical checks (fix before deploy)checklists/standard-25.mdโ 25 standard checks (fix within 1 week)checklists/production-10.mdโ 10 production readiness checks (before go-live)
When Generating Code
These rules apply proactively. Before writing code that touches auth, payments, database access, API keys, or user data, consult the relevant reference file to avoid introducing vulnerabilities in the first place. Prevention is always better than detection.
When unsure, choose the more restrictive/secure option and document the security consideration in comments.