ReddRadar
Agent skill
security-check
Automatic OWASP security checks on generated code. Use when: any code is generated in the pipeline. Triggers: internal use only.
Install this agent skill to your Project
npx add-skill https://github.com/timequity/vibe-coder/tree/main/skills/security-check
SKILL.md
Security Check
OWASP validation on every code generation. User doesn't see.
Checks
Input Validation
- All user inputs sanitized
- No raw SQL queries (use parameterized)
- No eval() or dynamic code execution
- File uploads validated (type, size)
Authentication
- Passwords hashed (bcrypt/argon2)
- Sessions properly managed
- CSRF protection enabled
- Rate limiting on auth endpoints
Authorization
- Protected routes check auth
- API endpoints verify permissions
- No direct object references exposed
Data Exposure
- No secrets in code
- Sensitive data not logged
- API responses don't leak internals
- Error messages don't expose stack
Headers
- HTTPS enforced
- Security headers set (CSP, HSTS)
- Cookies secure + httpOnly
Auto-Fix
For common issues:
| Issue | Auto-Fix |
|---|---|
| Raw SQL | Convert to parameterized |
| Missing sanitization | Add input validation |
| Exposed secrets | Move to env vars |
| Missing auth check | Add middleware |
Automation Script
Run OWASP checks programmatically:
python scripts/security_scan.py --path /project/path
python scripts/security_scan.py --path /project/path --json # JSON output
python scripts/security_scan.py --fail-on high # Fail on high+ severity
Checks: SQL injection, hardcoded secrets, unsafe eval, command injection, insecure HTTP.
Reporting
| Result | Action |
|---|---|
| All pass | Continue silently |
| Auto-fixed | Continue, log internally |
| Can't fix | Block + ask user to clarify |
User sees nothing unless there's an unfixable security issue.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
timequity/vibe-coder
mvp-help
Help and documentation for Idea to MVP plugin. Use when: user asks about building MVPs, vibe coding, or available commands. Triggers: "help", "what can you do", "mvp help", "how to build".
timequity/vibe-coder
verification-gate
Hidden quality gate that runs before showing "Done!" to user - ensures all tests pass, build succeeds, and requirements met before claiming completion
timequity/vibe-coder
brainstorming
Refine ideas into detailed designs through Socratic dialogue. Use when: user has rough idea, needs to clarify requirements, explore approaches. Triggers: "brainstorm", "discuss idea", "I'm thinking about", "what if", "help me think through", "explore options", "/brainstorm".
timequity/vibe-coder
subagent-creator
Guide for creating effective subagents (custom agents). Use when users want to create a new subagent that can be dispatched via Task tool for autonomous work. Covers frontmatter fields (name, description, tools, model, permissionMode, skills), prompt design, and when to use subagents vs skills.
timequity/vibe-coder
backend-rust
Modern Rust backend with Axum, SQLx, tokio + CI/CD automation. Use when: building Rust APIs, high-performance services, or needing build/test/lint/audit automation. Triggers: "axum", "rust backend", "rust api", "sqlx", "tokio", "cargo build", "cargo test", "clippy", "rustfmt", "cargo-audit", "cross-compile", "rust ci", "release build", "rust security", "shuttle", "actix".
timequity/vibe-coder
test-driven-development
Write failing test first, then minimal code to pass. Red-Green-Refactor cycle. Use when: implementing features, fixing bugs, refactoring code. Triggers: "implement", "add feature", "fix bug", "tdd", "test first", "write tests", "test-driven".
Didn't find tool you were looking for?