Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aeondave/vibe-audit-technique

Name: vibe-audit-technique
Author: aeondave

offensive-techniques/vibe-audit-technique/SKILL.md

npx skillsauth add aeondave/malskill vibe-audit-technique

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

vibe-audit-technique

Goal: Identify critical, high-frequency security omissions in modern web stacks (Next.js, Firebase, Supabase, VITE) that are typically generated by AI coding assistants.

When this technique applies

You have source-code access to a modern web application or mobile app backend.
The stack relies heavily on BaaS (Backend-as-a-Service) like Supabase, Firebase, or Clerk.
You are reviewing Next.js Server Actions, tRPC routers, or React Server Components.

The Audit Workflow

1. The BaaS Access Control Trap

AI code generators frequently scaffold databases without strict Row-Level Security (RLS).

Check: Are tables missing RLS entirely?
Check: Are existing RLS policies set to USING (true) for convenience?
Action: Load references/database-security.md.

2. The Client-Side Secret Leak

AI often pushes server-side secrets to the client to quickly bypass CORS or backend proxy errors.

Check: Grep for NEXT_PUBLIC_, VITE_, or EXPO_PUBLIC_.
Check: Ensure OpenAI, Anthropic, or Stripe secret keys are not bundled in these variables.
Action: Load references/secrets-and-env.md and references/ai-integration.md.

3. Server Action / API Auth Bypass

In Next.js, Server Actions are hidden API endpoints. They must be authenticated individually.

Check: Does the endpoint or Server Action assume the user is trusted simply because middleware exists? Middleware is often bypassed or overly permissive.
Action: Load references/authentication.md.

4. Billing and Rate Limits

AI assistants build features, not defenses.

Check: Are AI query routes (e.g., text generation, image generation) protected by rate limits?
Check: Are payment webhooks properly verifying signatures?
Action: Load references/rate-limiting.md and references/payments.md.

Quality Gates

Context matters: A leaked NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY is not a vulnerability (it is meant to be public). A leaked STRIPE_SECRET_KEY is critical. Verify before reporting.
Do not report generic 'missing headers': Focus strictly on the critical gaps caused by "vibe-coding" (Direct DB exposure, unauthorized server actions, secret leakage).

aeondave/vibe-audit-technique

offensive-techniques/vibe-audit-technique/SKILL.md

White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).

4 stars

development

Updated Jun 12, 2026

$ install --global

skillsauth

npx skillsauth add aeondave/malskill vibe-audit-technique

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 12, 2026, 3:51 AM80.1s10 files scanned

SKILL.md

name:: vibe-audit-technique
description:: White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).

vibe-audit-technique

Goal: Identify critical, high-frequency security omissions in modern web stacks (Next.js, Firebase, Supabase, VITE) that are typically generated by AI coding assistants.

When this technique applies

You have source-code access to a modern web application or mobile app backend.
The stack relies heavily on BaaS (Backend-as-a-Service) like Supabase, Firebase, or Clerk.
You are reviewing Next.js Server Actions, tRPC routers, or React Server Components.

The Audit Workflow

1. The BaaS Access Control Trap

AI code generators frequently scaffold databases without strict Row-Level Security (RLS).

Check: Are tables missing RLS entirely?
Check: Are existing RLS policies set to USING (true) for convenience?
Action: Load references/database-security.md.

2. The Client-Side Secret Leak

AI often pushes server-side secrets to the client to quickly bypass CORS or backend proxy errors.

Check: Grep for NEXT_PUBLIC_, VITE_, or EXPO_PUBLIC_.
Check: Ensure OpenAI, Anthropic, or Stripe secret keys are not bundled in these variables.
Action: Load references/secrets-and-env.md and references/ai-integration.md.

3. Server Action / API Auth Bypass

In Next.js, Server Actions are hidden API endpoints. They must be authenticated individually.

Check: Does the endpoint or Server Action assume the user is trusted simply because middleware exists? Middleware is often bypassed or overly permissive.
Action: Load references/authentication.md.

4. Billing and Rate Limits

AI assistants build features, not defenses.

Check: Are AI query routes (e.g., text generation, image generation) protected by rate limits?
Check: Are payment webhooks properly verifying signatures?
Action: Load references/rate-limiting.md and references/payments.md.

Quality Gates

Context matters: A leaked NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY is not a vulnerability (it is meant to be public). A leaked STRIPE_SECRET_KEY is critical. Verify before reporting.
Do not report generic 'missing headers': Focus strictly on the critical gaps caused by "vibe-coding" (Direct DB exposure, unauthorized server actions, secret leakage).

Related Skills

aeondave/source-review-technique

development

VerifiedTrustedCommunity

Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.

4SKILL.mdUpdated Jun 12, 2026

aeondave/source-review-technique

aeondave/hardware-technique

development

VerifiedTrustedCommunity

Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.

4SKILL.mdUpdated Jun 12, 2026

aeondave/hardware-technique

aeondave/container-technique

devops

VerifiedTrustedCommunity

Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.

4SKILL.mdUpdated Jun 12, 2026

aeondave/container-technique

aeondave/cicd-technique

development

VerifiedTrustedCommunity

CI/CD supply chain methodology: identifying poisoned pipelines, unsafe GitHub Actions, and extracting build secrets.

4SKILL.mdUpdated Jun 12, 2026

aeondave/cicd-technique

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aeondave/malskill.git

# Copy into Claude Code skills folder (global)
cp -r malskill/offensive-techniques/vibe-audit-technique ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aeondave/malskill

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT