Stop vibe coding vulnerabilities into production.
An AI skill that brings 5+ years of bug bounty hunting experience directly into your AI coding workflow - so LLM models write secure code from the start.
Vibe coding is fun until your app ends up on social media for all the wrong reasons.
We have all seen the posts/memes:
- API keys hardcoded in JavaScript bundles
- IDOR vulnerabilities allowing user data dumps
- No authentication for sensitive pages
- Weak passwords for admin panels
Security gaps aren't obvious until someone exploits them. Without the right guidance, AI will confidently ship vulnerable patterns alongside your features.
VibeSec is an AI Skill that acts as a security-first co-pilot. It teaches your selected model to approach your code from a bug hunter's perspective, catching vulnerabilities before they ship.
Tip
This skill already covers 60-70% of the common vulnerabilities. However, if you need a more robust version with more vulnerability coverage, please visit vibesec.sh
-
Claude Code
-
Clone this repository:
git clone https://github.com/BehiSecc/VibeSec-Skill -
Add it to
~/.claude/skills(global) or.claude/skillsin your project directory (project-only).
-
-
Cursor
-
Clone this repository:
git clone https://github.com/BehiSecc/VibeSec-Skill -
Add it to
~/.cursor/skills(global) or.cursor/skillsin your project directory (project-only).
-
-
Codex
-
Clone this repository:
git clone https://github.com/BehiSecc/VibeSec-Skill -
Add it to
~/.agents/skills(global) or.agents/skillsin your project directory (project-only).
-
-
Github Copilot
-
Clone this repository:
git clone https://github.com/BehiSecc/VibeSec-Skill -
Add it to
~/.copilot/skills(global) or.github/skillsin your project directory (project-only).
-
-
Antigravity
-
Clone this repository:
git clone https://github.com/BehiSecc/VibeSec-Skill -
Add it to
~/.gemini/antigravity/skills/(global) or.agent/skills/in your project directory (project-only).
-
VibeSec provides comprehensive protection against:
| Category | Covered Vulnerabilities |
|---|---|
| Access Control | IDOR, Privilege Escalation, Horizontal/Vertical Access, Mass Assignment, Token Revocation |
| Client-Side | XSS (Stored, Reflected, DOM), CSRF, Secret Key Exposure, Open Redirect |
| Server-Side | SSRF, SQL Injection, XXE, Path Traversal, Insecure File Upload |
| Authentication | Weak Passwords, Session Management, Account Lifecycle, JWT Security |
| API Security | Mass Assignment, GraphQL Security |
- ✅ Bypass techniques - Not just "sanitize input" but specific bypasses attackers use
- ✅ Edge cases - URL fragments, DNS rebinding, polyglot files, Unicode tricks
- ✅ Framework-aware - Patterns for React, Vue, Node.js, Python, Java, .NET
- ✅ Cloud-aware - Metadata endpoint protection for AWS, GCP, Azure
- ✅ Checklists - Actionable verification steps for each vulnerability class
# Add the skill to your project dir:
"I'm building a [web app description]. Please follow secure coding practices."
# Claude/Codex/etc will now automatically:
# - Implement proper access controls
# - Add security headers
# - Validate and sanitize all inputs
# - Flag potential security issuesIf you have suggestions, improvements, or new resources to add:
- Fork this repo
- Make your changes
- Submit a Pull Request
You can also open an Issue 🐛 if you spot something that needs fixing.
If you want to contact me, you can reach me on X.