| name | vibe-guard |
| description | Security guardian for vibe-coded apps — scores risk 0-100, catches the 50 most common AI security mistakes, and provides Quick Win fixes in under 5 minutes |
| version | 1.0.0 |
| license | MIT |
| metadata | {"author":"azizaeffendi","hermes":{"tags":["security","vibe-coding","risk-score","quick-wins","supabase","stripe","jwt","nextjs","react-native","beginner-friendly"],"category":"security","requires_toolsets":["terminal"]}} |
Security guardian specifically designed for AI-assisted ("vibe-coded") development. Produces a Risk Score from 0–100 and categorizes all findings as Quick Wins (< 5 min fix) or Complex Fixes (requires planning).
Built for developers who move fast — the output is designed to be immediately actionable, not overwhelming.
The Promise
After running Vibe Guard, you will know:
- Your overall Risk Score (0–100)
- Exactly what to fix (with copy-paste code)
- How long each fix will take
- Whether it's safe to ship right now
When to Use
- User invokes:
/vibe-guard, $vibe-guard
- User asks: "is this safe to ship?", "run vibe guard", "check my security", "what's my risk score?", "is this production-ready?", "am I secure?"
- User is about to push to main or deploy to production
- User mentions "vibe coding", "AI-generated", "built with AI"
- Writing code involving: auth, payments, databases, API keys, user data
Quick Reference
gitleaks detect --source . --no-banner && \
grep -rn "jwt\.decode\b" . --include="*.ts" --include="*.js" && \
grep -rn "USING (true)" . --include="*.sql" --include="*.ts" && \
grep -rn "unit_amount.*body\|req\.body\.price" . --include="*.ts" && \
grep -rn "AsyncStorage.*token\|AsyncStorage.*auth" . --include="*.ts" --include="*.tsx" && \
grep -rn "NEXT_PUBLIC_OPENAI\|NEXT_PUBLIC_ANTHROPIC" . --include="*.ts" && \
echo "Scan complete"
Risk Scoring System
Calculate the risk score based on findings:
| Severity | Points per finding | Cap |
|---|
| 🔴 Critical | 20 pts | 60 pts max |
| 🟠 High | 10 pts | 30 pts max |
| 🟡 Medium | 4 pts | 20 pts max |
| 🔵 Low | 1 pt | 10 pts max |
Total max: 100 points. Lower is better.
Score Interpretation
| Score | Grade | Ship Decision |
|---|
| 0–10 | 🟢 Excellent | ✅ Safe to ship |
| 11–30 | 🟡 Good | ⚠️ Fix medium issues first |
| 31–60 | 🟠 Risky | ❌ Fix high issues before shipping |
| 61–100 | 🔴 Critical | 🚫 Do not ship — fix criticals first |
Output Format
Always display the risk report before listing findings:
╔══════════════════════════════════════════╗
║ VIBE GUARD RISK REPORT ║
╠══════════════════════════════════════════╣
║ Overall Risk Score: [X] / 100 [GRADE] ║
╠══════════════════════════════════════════╣
║ 🔴 Critical [N] [bar] [pts] ║
║ 🟠 High [N] [bar] [pts] ║
║ 🟡 Medium [N] [bar] [pts] ║
║ 🔵 Low [N] [bar] [pts] ║
╠══════════════════════════════════════════╣
║ Ship Recommendation: [YES/NO/MAYBE] ║
║ Estimated fix time: [X] minutes ║
╚══════════════════════════════════════════╝
Audit Process
Check the codebase for the 50 most common AI security mistakes, organized by risk level.
Phase 1 — Critical Checks (always run first)
-
Exposed secrets — hardcoded API keys, secrets in client-side env vars, .env in git
→ Load: references/secrets-and-env.md
-
Disabled database access control — Supabase RLS off, Firebase allow: if true, Convex without auth
→ Load: references/database-security.md
-
Authentication bypass — jwt.decode() without verify, middleware-only auth, unprotected Server Actions
→ Load: references/authentication.md
Phase 2 — High Risk Checks
-
Client-submitted prices — price/amount/cost from request body in payment flows
→ Load: references/payments.md
-
Missing rate limiting — auth, AI API, email, SMS endpoints without limits
→ Load: references/rate-limiting.md (only if applicable)
-
AI API key on client — NEXT_PUBLIC_OPENAI_KEY, dangerouslyAllowBrowser: true
→ Load: references/ai-integration.md (only if applicable)
Phase 3 — Medium & Low Checks
-
Deployment gaps — debug mode, .git public, missing security headers, CORS wildcard
→ Load: references/deployment.md
-
Mobile token storage — AsyncStorage for tokens, secrets in JS bundle
→ Load: references/mobile.md (only if React Native/Expo detected)
-
Data access — SQL injection patterns, mass assignment, IDOR
→ Load: references/data-access.md
Quick Wins Section
After listing all findings, always include a Quick Wins section:
── QUICK WINS (< 5 minutes each) ──────────────────────────
✅ Fix 1: Add .env to .gitignore
echo ".env" >> .gitignore && git rm --cached .env 2>/dev/null
✅ Fix 2: Enable RLS on all Supabase tables (SQL Editor)
ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;
✅ Fix 3: Replace jwt.decode() with jwt.verify()
Before: const user = jwt.decode(token)
After: const user = jwt.verify(token, secret, { algorithms: ['HS256'] })
── COMPLEX FIXES (require planning) ───────────────────────
📋 Fix 4: Add RLS policies for all tables (~30 min)
📋 Fix 5: Move rate limiting to Upstash Redis (~45 min)
📋 Fix 6: Implement server-side price lookup (~20 min)
Core Instructions
- Produce the Risk Score first, always. Users need the top-line number before digging into details.
- Label each fix as Quick Win (< 5 min) or Complex Fix (requires planning) with estimated time.
- Never overwhelm — if there are more than 10 findings, group similar ones and show counts.
- Be encouraging — acknowledge what's done correctly, not just what's wrong.
- Use plain language. Assume the developer knows how to code but may not be a security expert.
- If a Critical finding exists, call it out first and recommend not shipping until resolved.
Pitfalls
- Score inflation — Don't let one file with 5 hardcoded secrets count as 5 Critical findings. Group secrets per-domain, not per-occurrence.
- False positives on test files —
*.test.ts, *.spec.ts, and __mocks__/ files often contain fake credentials. Note them but don't score them as Critical.
- Middleware auth — Next.js middleware being the only auth layer is High severity, not Critical. It requires specific headers to bypass.
service_role in server-only code — SUPABASE_SERVICE_ROLE_KEY without NEXT_PUBLIC_ prefix, used only in server components or API routes, is acceptable. Only flag if used in client code.
Verification
After fixes are applied, re-run vibe-guard to generate an updated Risk Score. A successful remediation session looks like:
Before: Risk Score 72/100 🔴 CRITICAL (3 critical, 2 high)
After: Risk Score 12/100 🟡 GOOD (0 critical, 1 medium)
Change: -60 points ↓
References
references/vibe-patterns.md — The 50 most common AI-introduced security mistakes
references/quick-wins.md — Highest-impact fixes that take under 5 minutes
references/database-security.md — Supabase RLS, Firebase rules, Convex auth
references/authentication.md — JWT, middleware, Server Actions
references/payments.md — Stripe, webhooks, price validation
references/secrets-and-env.md — API keys, client-side prefixes, .gitignore
references/mobile.md — React Native, Expo, secure storage
references/ai-integration.md — LLM API protection, prompt injection
references/deployment.md — Production config, security headers