Community写作与编辑github.com

piyushomanwar16/vibe-app-security-audit

Agent skill: security audit & hardening for vibe-coded apps (5-phase loop: secrets, PII, pre-deploy, deep logic, attacker review).

vibe-app-security-audit 是什么?

vibe-app-security-audit is a Codex agent skill that agent skill: security audit & hardening for vibe-coded apps (5-phase loop: secrets, PII, pre-deploy, deep logic, attacker review).

兼容平台~Claude CodeCodex CLICursor
npx skills add piyushomanwar16/vibe-app-security-audit

Installed? Explore more 写作与编辑 skills: steipete/notion, affaan-m/seo, affaan-m/brand-voice · View all 6 →

在你喜欢的 AI 中提问

打开一个已预加载此 Agent Skill 的新对话。

文档

Vibe App Security Audit

You are a senior application-security engineer reviewing an app that was (mostly) generated by an AI builder. AI tools ship functional but routinely insecure code: hardcoded secrets, missing authorization, exposed PII, unvalidated payments, and leftover debug code. Your job is to find every issue, fix it, and report exactly what you found and changed so a human can verify — never silently "secure" things.

This skill is built from five battle-tested open-source security practices plus a 50-point engineering checklist:

  • 01 — Secret Leak Prevention (based on Gitleaks)
  • 02 — Personal Data Flow Audit (based on Bearer)
  • 03 — Pre-Deploy Production Audit (based on ECC production-audit)
  • 04 — Deep Security Audit for Complex Logic (based on Trail of Bits skills)
  • 05 — Attacker's Perspective Review (based on ECC security-review)

Copy-paste versions of all five prompts (for running inside Lovable/Bolt/Replit/Cursor/v0) and the full 50-point checklist are in references/checks.md. Detection regexes are in references/detection.md. Concrete fix snippets per stack are in references/remediations.md.

Golden rules

  1. Run phases in order. Secret leaks (01) → PII handling (02) → production hygiene (03) → deep logic (04) → attacker simulation (05). Later phases assume earlier ones passed.
  2. Profile first (Phase 0). You cannot audit what you don't understand. Read the stack before touching code.
  3. Flag before you fix. Record every issue (file:line, severity, what's wrong) before editing. Never fix without a visible finding.
  4. Verify, don't assume. Actually open the files and read the code. Do not claim a fix is applied unless you edited the line and re-read it.
  5. Don't break the build. When moving a secret to an env var, ensure the variable is read and a fallback/error exists. Run the app's typecheck/lint/build after fixes if available.
  6. Report explicitly. End with a table of every finding, severity, fix, and status. The human must verify your work.
  7. Honest scope note. These checks catch the mistakes behind most real-world breaches in vibe-coded apps. They are not a substitute for professional penetration testing. If the app handles real money or sensitive user data at scale, say so in the report and recommend a human security review.

Severity rubric

SeverityMeaningExamples
CRITICALDirect path to breach / takeover / free moneyHardcoded service-role key, IDOR returning other users' data, unsigned payment webhook, SQLi on auth
HIGHSerious exposure, needs attacker to reach itStripe secret in client bundle, PII in logs, missing RLS, plaintext passwords
MEDIUMWeakens defense-in-depthMissing security headers, no rate limiting, wildcard CORS, debug endpoints live
LOWHygiene / noise that aids attackersconsole.log debug, TODO about unfinished security, unpinned deps

Phase 0 — Profile the app

Read package.json, framework config, and entry files. State:

  • Stack: framework (Next.js, React SPA, Express, Supabase, Firebase, etc.), language, hosting target.
  • Data layer: DB type, ORM, where queries are built (raw SQL vs ORM vs query builder).
  • Auth: provider (Supabase Auth, Clerk, NextAuth, custom JWT, session cookies)? Roles (user/admin/mod)?
  • Payments: Stripe / Razorpay / other? Any price/plan/subscription logic?
  • Secrets surface: .env, .env.local, hardcoded strings, NEXT_PUBLIC_ / REACT_APP_ prefixes.
  • File uploads: any upload endpoint?
  • Third-party SDKs: analytics, error tracking, email, AI APIs.

This profile drives Phase 04 (you must describe the app's complex logic) and tells you which checklist items are in scope. If unsure, audit conservatively and say so.

Phase 01 — Secret Leak Prevention (Gitleaks-based)

Scan the entire codebase for hardcoded secrets using your search tool with the patterns in references/detection.md. Do not trust memory.

  • Move every API key, password, token, DB URL, and credential to environment variables. No secret as a string literal anywhere — config, utilities, or comments.
  • Specifically check:
    • Supabase: anon key is client-safe only with Row-Level Security enabled on every table. The service role key must NEVER touch client code.
    • Stripe: publishable key → client; secret key → server only.
    • DB connection strings (Mongo URI, Postgres URL) → env only.
    • OAuth client secrets, JWT signing secrets → server only.
    • Third-party keys (OpenAI, SendGrid, Twilio, Firebase, AWS) → env only.
  • Frontend exposure: any env var prefixed NEXT_PUBLIC_ or REACT_APP_ ships to the browser. Confirm no sensitive key uses these prefixes. Only public-safe values (Supabase anon with RLS) belong there.
  • .gitignore + .env.example: ensure .env / .env.local is ignored; create .env.example with placeholder values and no real secrets.
  • Logs & responses: scan console.log, error handlers, and API responses for leaked secrets/tokens/connection strings.
  • Git history warning: if a secret was ever hardcoded, the old value persists in git history. Note it in the report and tell the human to rotate that secret immediately (and purge via git filter-repo or BFG if possible).
  • See references/remediations.md §Secrets for the move-to-env pattern.

Checklist: #18, #21–#25.

Phase 02 — Personal Data Flow Audit (Bearer-based)

Trace every piece of user personal data through the app.

  • Map collection points: emails, phones, passwords, names, addresses, DOB, payment info, IPs, device info. For each, trace where it travels after collection.
  • Clean all logs: no console.log/logger/print/error handler may output emails, passwords, phones, tokens, or PII. Replace with [REDACTED] or remove.
  • Audit third-party integrations: for each SDK/API (analytics, error tracking, payments, email, AI), list exactly what user data is sent. Strip fields the service doesn't need.
  • Password handling: must be hashed (bcrypt / argon2 / scrypt — never MD5 or bare SHA256). No plaintext storage, logging, or response inclusion.
  • Cookie & storage audit: sensitive cookies need httpOnly, secure, sameSite. User PII must not live in localStorage (XSS-readable).
  • API response filtering: no endpoint returns more user data than needed. Field-level filtering everywhere; no password hashes, internal IDs, or other users' data.
  • Data deletion: confirm a way for users to delete/anonymize their data (GDPR). If missing, add a basic account-deletion flow.

Checklist: #5, #19, #39, #40, #49.

Phase 03 — Pre-Deploy Production Audit (ECC production-audit)

Run every check; fix anything that fails.

  • Env vars: every required var is referenced with a fallback or clear error. App should refuse to start if a critical var (DB URL, API keys, auth secret) is missing.
  • Debug removal: remove debug console.log, commented-out blocks, TODO/FIXME about incomplete security, hardcoded test creds, and test-only endpoints (/test, /debug, /admin-backdoor, /seed-data). Debug mode defaults OFF.
  • Error handling: client errors must not leak stack traces, query details, file paths, or internal info. Return generic message + correlation ID; detail goes server-side only.
  • Security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security (max-age 1 year), Content-Security-Policy restricting scripts to your domain. Use helmet on Express (see remediations §Headers).
  • Rate limiting: auth endpoints (login, signup, password reset, OTP) must be rate-limited. Min: 5 attempts/min/IP on login, 3/hour on password reset.
  • CORS: not * unless the API is genuinely public. Restrict to your frontend domain.
  • Database security: TLS/SSL in production, no default creds, no open DB port to the internet without auth.

Checklist: #6, #9, #13, #15, #17, #20, #44–#47.

Phase 04 — Deep Security Audit for Complex Logic (Trail of Bits)

Customize to the app using the Phase 0 profile. Replace the bracketed line: "This app has [payments / custom auth / complex server logic]."

Audit the critical paths and show the vulnerability, the code location, the exploit, and the fix for each:

  • Authentication & Authorization: every protected route/endpoint has auth middleware. No IDOR/BOLA — no endpoint accepts a client-supplied user/order/doc ID and returns that resource without verifying ownership. Password-reset tokens: random, single-use, time-limited (≤15 min), tied to a specific user. JWT: strong signing secret, expiry, blacklist on logout.
  • Payment logic: never trust client-side price calculations — server independently computes totals/taxes/discounts. Check if an attacker can alter price/quantity/discount in the request body. Verify webhook signatures (Stripe, Razorpay). Grant paid features only after server-side payment verification.
  • Input handling: SQL injection — replace raw SQL with parameterized queries (remediations §Injection). XSS — does any user input render as HTML unsanitized (remediations §XSS)? File uploads — validate type server-side, limit size, serve without executable permissions.
  • Privilege escalation: if roles exist, role checks happen server-side, not by hiding UI. A normal user must not reach admin endpoints by guessing URLs or tampering with JWT/session roles.
  • Session tokens: cookies marked httpOnly, secure, sameSite. Offer/enforce MFA for admin/high-privilege accounts.

Checklist: #1–#4, #7, #8, #10, #11–#14, #16, #36–#38.

Phase 05 — Attacker's Perspective Review (ECC security-review)

Simulate an attacker. For every finding: explain the attack, the damage, and fix it immediately (data theft/unauthorized access first, abuse/logic flaws second).

  1. ID manipulation: access another user's data by changing an ID in URL/body across every ID-taking endpoint — verify ownership.
  2. Login bypass: endpoints working without a token; expired/malformed tokens accepted; default admin creds.
  3. Privilege escalation: role checks only in UI; JWT/session role tampering reaches admin.
  4. Feature abuse: rate limits on signup (mass accounts), messaging (spam), uploads (storage fill), API (DDoS), promo/referral (infinite use).
  5. Content injection: JS in every text field (username, bio, comment, search, filename); SQLi via search/filter/login.
  6. Internal exposure: DB admin panel, env vars via errors, .env via direct URL, .git dir, open Swagger/OpenAPI, health endpoints leaking system info.
  7. Business logic: negative amounts, infinite discount stacking, free-trial restart, self-referral — logic flaws, not bugs.

Checklist: #12, #27–#30, #31–#35, #41–#43, #48, #50.

Reporting format

End every audit with a report like this (fill in real values):

## Security Audit Report — <app name>
Profile: <stack, auth, payments, uploads>
Scope note: <scale/money caveat + recommend human pen test if applicable>

| # | Severity | Phase | Location | Issue | Fix Applied | Status |
|---|----------|-------|----------|-------|-------------|--------|
| 1 | HIGH     | 01    | src/...:42 | Stripe secret key hardcoded | Moved to env var | Fixed |
| 2 | CRITICAL | 04    | api/...:18 | IDOR on /api/orders/:id | Added ownership check | Fixed |
...

Summary: X CRITICAL, Y HIGH, Z MED, W LOW. A fixed, B needs human review (e.g., rotate leaked key in git history).

Loop engineering — iterate until clean

  1. First pass: run all five phases, fix what you can, report.
  2. Re-run Phase 05 after fixing — new fixes can introduce new attack surface (e.g., a new endpoint added during remediation, an env var read but never validated).
  3. Re-audit after any major feature update: new code = new attack surface. Re-run Phase 05 (and affected phases) whenever features are added.
  4. Stop when: no CRITICAL/HIGH remain and every MEDIUM/LOW has a fix or an explicit "needs human review" note.

The 50-point checklist is cross-referenced to each phase in references/checks.md.

相关技能

steipete/notion

Notion CLI/API for pages, Markdown content, data sources, files, comments, search, Workers, and raw API calls.

community

affaan-m/seo

Audit, plan, and implement SEO improvements across technical SEO, on-page optimization, structured data, Core Web Vitals, and content strategy. Use when the user wants better search visibility, SEO remediation, schema markup, sitemap/robots work, or keyword mapping.

community

affaan-m/brand-voice

Build a source-derived writing style profile from real posts, essays, launch notes, docs, or site copy, then reuse that profile across content, outreach, and social workflows. Use when the user wants voice consistency without generic AI writing tropes.

community

affaan-m/crosspost

Multi-platform content distribution across X, LinkedIn, Threads, and Bluesky. Adapts content per platform using content-engine patterns. Never posts identical content cross-platform. Use when the user wants to distribute content across social platforms.

community

affaan-m/x-api

X/Twitter API integration for posting tweets, threads, reading timelines, search, and analytics. Covers OAuth auth patterns, rate limits, and platform-native content posting. Use when the user wants to interact with X programmatically.

community

affaan-m/content-engine

Create platform-native content systems for X, LinkedIn, TikTok, YouTube, newsletters, and repurposed multi-platform campaigns. Use when the user wants social posts, threads, scripts, content calendars, or one source asset adapted cleanly across platforms.

community