Defensive AppSec Skill

Audit vibe-coded software before it ships.

AppSec Audit reviews files, diffs, PRs and repositories for real security risk. It maps attack surface, traces untrusted input, calibrates severity, and turns findings into concrete fixes.

Install the skill Read the audit method

User: Audit this PR before deploy.

Scope: public Next.js app, Prisma, Stripe, admin routes
Surface: 14 routes, 3 webhook handlers, 2 LLM tools

[ok] threat boundaries mapped
[ok] language packs loaded
[next] generate remediation plan?

HighIDOR on PATCH /projects/:idCWE-639

HighClient-controlled price acceptedCWE-602

MediumStored XSS in markdown previewCWE-79

Invoke the auditor in plain language.

No slash-command memorization required. Say what you want reviewed, name the artifact, then ask for the output you need.

Choose starting point

Say this to Codex or Claude

File: Run AppSec Vulnerability Auditor on this file.
PR: Audit this PR for vulnerabilities before merge.
Repo: Do a repository-scale security audit with resumable audit state.

SARIF: Ingest this SARIF report as seed findings, validate them, then audit.
Semgrep: Use this Semgrep JSON as provenance-tagged seed evidence.
Secrets: Review this Gitleaks output and confirm which findings are real.

MCP: Audit this MCP server for prompt injection, tool authz and context exfiltration.
Tool use: Trace untrusted model output into tools, file access and network egress.
SSRF: Check agent URL fetchers for SSRF and missing allowlists.

SARIF: Return the audit as Markdown first, then SARIF 2.1.0.
Tickets: Create GitHub issue bodies for each finding.
CTO: Write an executive summary with risk, assumptions and next steps.

Ship: Generate a remediation plan for ship-blocker findings only.
Fast: Give me quick-wins across all tiers with tests and acceptance criteria.
Full: Create a full remediation plan with sprints and residual risk.

Plan

Start with threat model, trust boundaries, sensitive data and deployment target.

Audit

Review files, diffs, PRs or repos with language packs and AppSec references.

Report

Get calibrated findings with CWE, OWASP, file line, assumptions and validation questions.

Fix

Ask for patches, regression tests, sprint tasks and residual-risk notes.

Threat modelask: establish scopeCreates review assumptions for exposure, data sensitivity, deployment and trust boundaries.

Surface mapask: map entry pointsFinds routes, webhooks, CLIs, queues, uploads, MCP tools and sensitive sinks.

Seed ingestionattach: SARIF, Semgrep, GitleaksImports existing scanner findings as provenance-tagged evidence, then validates them.

Pattern scanask: OWASP / CWE / AI codeChecks OWASP Top 10, CWE Top 25, generated-code pitfalls, secrets and LLM-agent risks.

Data-flow traceask: trace untrusted inputFollows input into DB, shell, templates, file IO, deserialization, network egress and tools.

Context passesauto: by stackLoads targeted checks for frontend, backend, mobile, infra, library or LLM-agent code.

Safe verificationask: reproduce or sketchGives defensive verification steps for Critical and High without weaponized payloads.

Patch guidanceask: patch findingsReturns fix direction, implementation notes and regression tests in the codebase style.

Output formatsask: SARIF, JIRA, GitHub, JSON, CTOTransforms report into scanner upload, ticket bodies, ledger JSON or executive summary.

Repo protocolask: full repository auditUses manifest scan, entry-point map, module deep dives, cross-cutting passes and audit state.

Remediation planask: quick-wins, ship-blocker, fullBuilds sprint tasks with dependencies, acceptance criteria, tests and residual risk.

Evaluation suiteask: run evalsUses benchmark cases and scorecards to check recall, precision, severity and calibration.

Security review is a loop, not a scanner result.

AppSec Audit starts with threat boundaries, follows data flow by hand, validates high-signal patterns, and ends with fixes engineers can apply.

ScopeEstablish threat model, target deployment, sensitive data and review authority.THREAT.md

MapFind entry points, trust transitions and sinks before line review starts.surface map

TraceFollow untrusted input into DB, shell, templates, LLM tools and network egress.data flow

CalibrateAttach severity, confidence, assumptions and validation questions to every finding.findings ledger

PatchReturn fix direction, tests, residual risk and optional sprint plan.remediation.md

attack-surface.mapscope: public web app

entrypoints:
  - /api/projects/:id PATCH
  - /api/checkout POST
  - /webhooks/stripe POST
  - llm.tools.fetch_url

sensitive_sinks:
  - prisma.project.update()
  - stripe.checkout.sessions.create()
  - markdown renderer
  - fetch(user_url)

calibration.notenot dramatized

High, provisional
confidence: medium
assumption: route is reachable by regular users
downgrade: gateway blocks cross-tenant IDs
upgrade: endpoint exposes payment metadata
validation: confirm route middleware order

It reads the system before judging the code.

The skill treats context as evidence. Framework conventions, language packs, SAST seeds and deployment assumptions shape the final report.

Understands your codebaseRoutes, handlers, configs, framework conventions and language-specific risk patterns.

Starts with threat contextPublic exposure, sensitive data, caller types and deployment target come before severity.

Uses real security referencesOWASP, CWE, LLM-agent security, secrets guidance and relevant language packs.

Calibrates, not dramatizesSeverity includes confidence, assumptions, upgrade conditions and validation questions.

Turns findings into workStep 10 converts selected findings into sprint-sized remediation tasks.

attack-surface-map

entry-points:
  POST /api/auth/login         [public]
  PATCH /api/projects/:id      [auth]  ← IDOR candidate
  POST /api/webhooks/stripe    [signed]
  GET  /llm/summarize          [auth]  ← tool-call scope

sensitive-sinks:
  prisma.user.findUnique()     [PII]
  stripe.paymentIntents.create [financial]
  exec(userCmd)                [RCE risk]

trust-boundaries: 3   surfaces: 14

calibration.note

finding:    IDOR on PATCH /projects/:id
severity:   High
confidence: High
assumption: no row-level policy in DB
downgrade:  if RLS enforced → Medium
upgrade:    if admin bypass → Critical
validate:   "Does Prisma scope by user_id?"

Ten steps, one audit artifact.

Small inputs still get rigor. Large repositories get staged state. High-risk findings get verification guidance without weaponized payloads.

Establish scope

Threat model, trust boundary, authorship, deployment target and sensitive data set the review frame.

Map attack surface

HTTP routes, CLIs, queues, uploads, webhooks, MCP tools and sinks are mapped before findings are written.

2.5

Ingest seed findings

SARIF, Semgrep, Gitleaks and previous reports become provenance-tagged evidence, not automatic truth.

Pattern scan

OWASP Top 10, CWE Top 25, AI-generated-code pitfalls, LLM-agent security and secrets/config checks collect candidates.

Trace auth, authz and data flow

Protected-route coverage, ownership checks, IDOR, sanitizer fit and state-machine abuse get hand-traced.

Run context-specific passes

Frontend, backend, LLM agent, mobile, infra and library audits load different checks.

Reproduce or sketch

Critical and High findings get safe verification steps without becoming exploit kits.

Patch

Each finding includes fix direction, why it closes risk, and tests that prevent regression.

Report

Scope, surface map, calibration note, findings table, writeups, clean checks, out-of-scope notes and next steps ship together.

Calibrate severity

Critical through Informational ratings are tied to exploitability, impact, confidence and assumptions.

Generate remediation plan

User-selected findings turn into sprint tasks with acceptance criteria, tests and residual-risk notes.

Standard AppSec, tuned for generated code.

Coverage combines classic vulnerability classes with failure modes disproportionately common in AI-assisted development.

Category	Examples	Typical generated-code shape
Broken access control	IDOR, tenant bypass, admin route gaps	CRUD route authenticates but never checks ownership
Injection	SQL, NoSQL, shell, template injection	String interpolation where ORM or argv arrays already exist
LLM-agent security	Prompt injection, tool authz, context exfiltration	Untrusted text enters tool-enabled LLM calls with secrets nearby
Cryptographic failures	Weak hashing, JWT misuse, bad randomness	Plausible helper function skips signature or uses SHA for passwords
Server trusts client	Price, role, tenant, ownership from frontend state	Generated UI and API agree on a field nobody verifies server-side
Secrets and config	Hardcoded keys, debug prod, weak cookies	Testing values survive into repo, bundle or example env files

The security tells of vibe-coded software.

Generated code often looks idiomatic while skipping checks that make it safe. AppSec Audit is tuned for those repeat failures.

Confidently wrong crypto

Looks tidy, misses signature validation, password storage, mode choice or randomness.

crypto

Missing authz on PATCH/DELETE

Route is authenticated, but resource ownership never enters the query or policy.

IDOR

Prompt-injectable tool use

Untrusted content flows into tool-enabled LLM calls with access to network, files or secrets.

agent

Hardcoded keys for testing

Example credentials, real tokens and debug switches remain in source, comments or bundles.

secrets

SSRF in URL fetchers

Agent tools, PDF renderers and webhook helpers fetch arbitrary URLs without allowlists.

egress

Reports for humans. Ledgers for machines.

Markdown remains the source of truth. Machine and ticket formats preserve severity, confidence, assumptions, validation questions and remediation context.

Format	Use
Markdown audit report	Scope, attack surface, detailed findings and recommended next steps.
SARIF 2.1.0	Upload to GitHub Code Scanning or compatible security tooling.
GitHub / JIRA	One issue or ticket body per finding, calibrated and actionable.
Executive summary	Leadership-safe risk framing without exploit payloads.
Findings ledger JSON	Programmatic severity, CWE, OWASP, assumptions and validation questions.

output treesingle source

audit-report.md
|- scope and threat model
|- attack-surface map
|- findings table
|- detailed writeups
|- clean checks
`- next steps

findings-ledger.json
|- severity
|- confidence
|- CWE / OWASP
|- assumptions
`- validation questions

From findings to Monday morning work.

After an audit, Step 10 lets you choose what to fix and generates a sprint-ready remediation plan.

T1Critical Pathship-blockerCritical and High findings with high confidence. Fix before launch.

T2Core HardeningmoderateMedium risk or context-dependent High findings that need validation.

T3Defense in DepthbacklogLow and Informational findings that improve resilience.

XCCross-cuttingarchitectureShared fixes that unblock multiple findings at once.

Sprint 1: Ship blockers8–12h

#1 High IDOR: add ownership policy to project update route

Acceptance: user A cannot modify user B project. Regression: cross-tenant PATCH returns 403.

#2 High client price trust: move price calculation server-side

Acceptance: submitted price is ignored by checkout service. Regression: forged amount keeps canonical price.

#3 Medium stored XSS: constrain markdown renderer

Acceptance: disallowed tags removed. Regression: renderer snapshot covers unsafe attributes.

Big repos need state, not bravado.

The skill should never claim full-repo coverage unless every in-scope module was reviewed or explicitly deferred.

Manifestfiles, languages, frameworks

Entry pointsroutes, webhooks, CLIs, tools

Modulesdeep dives by ownership boundary

Cross-cuttingauth, secrets, config, flows

Reportcalibrated findings and clean checks

Retestresidual risk and fix validation

Calibrated skills need calibration tests.

The eval suite keeps the skill honest as references, language packs and prompts evolve.

eval-run

case: notes-app-2026-05-28
expected: 6  found: 6/6  recall: 100%

case: agent-stripe-2026-04-15
expected: 4  found: 4/4  recall: 100%

case: next-prisma-2026-03-22
expected: 5  found: 5/5  recall: 100%

severity calibration: ✓
safe-guard behavior:   ✓
false positives:       0 / 15 findings

Scorecard pipeline

Synthetic mode validates the comparator and scorecard pipeline. Live evaluation can measure recall, precision, severity accuracy, calibration completeness and safety behavior.

5benchmark cases

20expected findings

9language packs

100+checks

Install once. Audit any codebase.

What's included

Skill file with full 10-step audit method
9 language and framework reference packs
Output examples and report templates
Repository audit protocol with staged mode
Evaluation suite with benchmark cases

Works on any codebase

Human-written, AI-generated, and legacy code
Mixed teams and gradual AI adoption
Files, diffs, PRs, and full repositories
SARIF export to GitHub Code Scanning
CI pipeline integration via GitHub Actions

Defensive by design.

If a request crosses into offensive use, the skill redirects to a defensive equivalent: detection rule, fix, regression test or hardening plan.

What it does

Reviews code the user is authorized to inspect
Identifies vulnerabilities and likely impact
Writes patches and defensive tests
Explains risk enough to fix it

What it will not do

Weaponized exploits or shellcode
Recon or fingerprinting of third-party systems
Authentication or licensing bypass
Offensive instructions as primary output

Drop it into your AI coding workflow.

The skill triggers from natural language: audit, security review, find vulnerabilities, safe to deploy, OWASP Top 10, CWE Top 25 and AI-generated code review.

install — Codexpersonal skills folder

git clone https://github.com/alboechat/appsec-vulnerability-auditor.git
mv appsec-vulnerability-auditor ~/.codex/skills/

install — Claude Codepersonal skills folder

git clone https://github.com/alboechat/appsec-vulnerability-auditor.git
mv appsec-vulnerability-auditor ~/.claude/skills/

usenatural language

"Run the AppSec Vulnerability Auditor on this file."
"Audit this PR for vulnerabilities."
"Security-review this before deploy."
"Generate a remediation plan for critical findings."

Sharp edges, answered.

Is this a pentest?

No. It is a defensive source-code review skill. It can support audit prep and secure engineering, but it does not replace authorized penetration testing or compliance assessment.

Does it run exploits?

No. Critical and High findings get verification guidance or safe reproduction sketches, but not weaponized PoCs.

Can it audit LLM agents?

Yes. It checks prompt injection, tool-use authorization, output-as-input loops, context exfiltration, SSRF in agent URL fetchers and secrets in context windows.

Can it consume Semgrep or SARIF?

Yes. Seed findings can be ingested, tagged by provenance, validated and calibrated.

What makes it different from generic SAST?

It combines AppSec references, language packs, AI-generated-code pitfalls, LLM-agent risks, manual data-flow reasoning, severity calibration and remediation planning.

Review your next AI-built release before deploy.

Keep the speed of vibe coding. Add threat boundaries, calibrated findings, defensive patches and a plan your team can execute.

Install the skill View GitHub