vibe-prooflisted

Security-focused hardening for vibe-coded full-stack apps. Runs parallel audits across frontend, backend, and config layers, then fixes issues systematically by severity. Covers injection, PII exposure, missing headers, error leakage, dead code, and credential hygiene.
HermeticOrmus/vibe-proof-skills · ★ 0 · Web & Frontend · score 75

Install: claude install-skill HermeticOrmus/vibe-proof-skills

# Vibe-proof: security hardening for full-stack apps **Purpose**: Audit and fix security vulnerabilities in vibe-coded full-stack applications through parallel multi-layer analysis and guided remediation, fixing in severity order. ## Origin Refined across two real hardening sessions: a React + Express + Stripe e-commerce platform deployed to Vercel, then a Next.js + Supabase + CRM medical platform. Between both sessions, 85+ issues were found, including SQL injection, hardcoded backdoor passwords, secrets in URL params, `.env` files in git, and missing security headers. ## When to use - After vibe-coding an MVP with API routes, databases, or payment integrations - Before a first real deployment or first real customer - When you suspect "it works, but is it safe?" - Any Express / React / Next.js / Nuxt app with a backend ## The seven security checks ### 1. Injection vectors - [ ] No user input in SQL/query strings without parameterization - [ ] Sort columns and filter fields use allowlist validation - [ ] No `eval()`, `new Function()`, or template-literal injection - [ ] URL params parsed with bounds checking (`parseInt` with min/max) - [ ] Enum fields (gender, status, role) validated against `const` allowlists ### 2. PII and secret exposure - [ ] No hardcoded addresses, phone numbers, or names in source - [ ] No hardcoded passwords or backdoor auth strings - [ ] API tokens in headers (`Authorization`), never in URL params - [ ] Admin endpoint secrets use `Authorizat