vibe-prooflisted

Security-focused hardening for vibe-coded full-stack apps. Runs parallel audits across frontend, backend, and config layers, then fixes issues systematically by severity. Covers injection, PII exposure, missing headers, error leakage, dead code, and credential hygiene.
HermeticOrmus/claude-code-skills · ★ 0 · AI & Automation · score 65

Install: claude install-skill HermeticOrmus/claude-code-skills

# Vibe-Proof: Security Hardening for Full-Stack Apps **Purpose:** Systematically audit and fix security vulnerabilities in vibe-coded full-stack applications through parallel multi-agent analysis and guided remediation. ## Origin Extracted from a real hardening session on a React + Express + Stripe e-commerce platform deployed to Vercel. Refined through a second execution on a Next.js 16 + Supabase + CRM medical platform (Feb 2026). Between both sessions: 85+ issues found, including SQL injection, hardcoded backdoor passwords, secrets in URL params, `.env` files in git, and missing security headers. ## When to Use - After vibe-coding an MVP with API routes, databases, or payment integrations - Before first real deployment or first real customer - When you suspect "it works but is it safe?" - Any Express/React/Next.js/Nuxt app with a backend ## The Seven Security Checks ### 1. Injection Vectors - [ ] No user input in SQL/query strings without parameterization - [ ] Sort columns, filter fields use allowlist validation - [ ] No `eval()`, `new Function()`, or template literal injection - [ ] URL params parsed with bounds checking (parseInt with min/max) - [ ] Enum fields (gender, status, role) validated against const allowlists ### 2. PII & Secret Exposure - [ ] No hardcoded addresses, phone numbers, names in source - [ ] No hardcoded passwords or "backdoor" auth strings - [ ] API tokens in headers (Authorization), never in URL params - [ ] Admin endpoint secrets use `Aut