Back to Details

vibe-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese
Audit code for security vulnerabilities commonly introduced by AI code generation. These issues are prevalent in "vibe-coded" apps — projects built rapidly with AI assistance where security fundamentals get skipped.
AI assistants consistently get these patterns wrong, leading to real breaches, stolen API keys, and drained billing accounts. This skill exists to catch those mistakes before they ship.
审计AI代码生成通常引入的安全漏洞。这些问题在‘即兴搭建(vibe-coded)’应用中十分普遍——这类项目借助AI快速搭建,却忽略了安全基础。
AI助手经常在这些模式上出错,导致真实的数据泄露、API密钥被盗、账单账户资金流失。此技能旨在在代码上线前发现这些错误。

The Core Principle

核心原则

Never trust the client. Every price, user ID, role, subscription status, feature flag, and rate limit counter must be validated or enforced server-side. If it exists only in the browser, mobile bundle, or request body, an attacker controls it.
永远不要信任客户端。所有价格、用户ID、角色、订阅状态、功能标志和速率限制计数器都必须在服务器端进行验证或强制执行。如果这些信息仅存在于浏览器、移动应用包或请求体中,攻击者就能对其进行操控。

Audit Process

审计流程

Examine the codebase systematically. For each step, load the relevant reference file only if the codebase uses that technology or pattern. Skip steps that aren't relevant.
  1. Secrets & Environment Variables — Scan for hardcoded API keys, tokens, or credentials. Check for secrets exposed via client-side env var prefixes (
    NEXT_PUBLIC_
    , 
    VITE_
    , 
    EXPO_PUBLIC_
    ). Verify 
    .env
    is in 
    .gitignore
    . See 
    references/secrets-and-env.md
    .
  2. Database Access Control — Check Supabase RLS policies, Firebase Security Rules, or Convex auth guards. This is the #1 source of critical vulnerabilities in vibe-coded apps. See 
    references/database-security.md
    .
  3. Authentication & Authorization — Validate JWT handling, middleware auth, Server Action protection, and session management. See 
    references/authentication.md
    .
  4. Rate Limiting & Abuse Prevention — Ensure auth endpoints, AI calls, and expensive operations have rate limits. Verify rate limit counters can't be tampered with. See 
    references/rate-limiting.md
    .
  5. Payment Security — Check for client-side price manipulation, webhook signature verification, and subscription status validation. See 
    references/payments.md
    .
  6. Mobile Security — Verify secure token storage, API key protection via backend proxy, and deep link validation. See 
    references/mobile.md
    .
  7. AI / LLM Integration — Check for exposed AI API keys, missing usage caps, prompt injection vectors, and unsafe output rendering. See 
    references/ai-integration.md
    .
  8. Deployment Configuration — Verify production settings, security headers, source map exposure, and environment separation. See 
    references/deployment.md
    .
  9. Data Access & Input Validation — Check for SQL injection, ORM misuse, and missing input validation. See 
    references/data-access.md
    .
If doing a partial review or generating code in a specific area, load only the relevant reference files.
系统地检查代码库。对于每个步骤,仅当代码库使用该技术或模式时,才加载相关参考文件。跳过不相关的步骤。
  1. 机密信息与环境变量 —— 扫描硬编码的API密钥、令牌或凭据。检查通过客户端环境变量前缀(
    NEXT_PUBLIC_
    VITE_
    EXPO_PUBLIC_
    )暴露的机密信息。验证
    .env
    文件是否在
    .gitignore
    中。参考
    references/secrets-and-env.md
  2. 数据库访问控制 —— 检查Supabase RLS策略、Firebase安全规则或Convex认证防护。这是即兴搭建应用中最主要的严重漏洞来源。参考
    references/database-security.md
  3. 认证与授权 —— 验证JWT处理、中间件认证、Server Action防护和会话管理。参考
    references/authentication.md
  4. 速率限制与滥用防护 —— 确保认证端点、AI调用和高成本操作设有速率限制。验证速率限制计数器无法被篡改。参考
    references/rate-limiting.md
  5. 支付安全 —— 检查客户端价格篡改、Webhook签名验证和订阅状态验证。参考
    references/payments.md
  6. 移动安全 —— 验证安全令牌存储、通过后端代理保护API密钥和深度链接验证。参考
    references/mobile.md
  7. AI/LLM集成 —— 检查暴露的AI API密钥、缺失的使用上限、提示注入风险和不安全的输出渲染。参考
    references/ai-integration.md
  8. 部署配置 —— 验证生产环境设置、安全头、源映射暴露和环境隔离。参考
    references/deployment.md
  9. 数据访问与输入验证 —— 检查SQL注入、ORM误用和缺失的输入验证。参考
    references/data-access.md
如果进行部分评审或在特定领域生成代码,仅加载相关参考文件。

Core Instructions

核心说明

  • Report only genuine security issues. Do not nitpick style or non-security concerns.
  • When multiple issues exist, prioritize by exploitability and real-world impact.
  • If the codebase doesn't use a particular technology (e.g., no Supabase), skip that section entirely.
  • When generating new code, consult the relevant reference files proactively to avoid introducing vulnerabilities in the first place.
  • If you find a critical issue (exposed secrets, disabled RLS, auth bypass), flag it immediately at the top of your response — don't bury it in a long list.
  • 仅报告真实的安全问题。不要挑剔代码风格或非安全相关问题。
  • 当存在多个问题时,按可利用性和实际影响程度排序。
  • 如果代码库未使用特定技术(如无Supabase),则完全跳过该部分。
  • 生成新代码时,主动参考相关参考文件,从一开始就避免引入漏洞。
  • 如果发现严重问题(暴露的机密信息、RLS禁用、认证绕过),立即在响应顶部标记——不要隐藏在长列表中。

Output Format

输出格式

Organize findings by severity: CriticalHighMediumLow.
For each issue:
  1. State the file and relevant line(s).
  2. Name the vulnerability.
  3. Explain what an attacker could do (concrete impact, not abstract risk).
  4. Show a before/after code fix.
Skip areas with no issues. End with a prioritized summary.
按严重程度组织发现的问题:严重高风险中风险低风险
每个问题需包含:
  1. 说明文件和相关行号。
  2. 漏洞名称。
  3. 解释攻击者可实施的操作(具体影响,而非抽象风险)。
  4. 展示修复前后的代码对比。
跳过无问题的区域。结尾附上优先级排序的总结。

Example Output

示例输出

Critical

严重

lib/supabase.ts:3
— Supabase 
service_role
key exposed in client bundle
The 
service_role
key bypasses all Row-Level Security. Anyone can extract it from the browser bundle and read, modify, or delete every row in your database.
typescript
// Before
const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_KEY!)

// After — use the anon key client-side; service_role belongs only in server-side code
const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!)
lib/supabase.ts:3
—— Supabase 
service_role
密钥在客户端包中暴露
service_role
密钥可绕过所有行级安全(Row-Level Security)限制。任何人都可从浏览器包中提取该密钥,读取、修改或删除数据库中的所有行。
typescript
// 修复前
const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_SERVICE_KEY!)

// 修复后 —— 客户端使用anon密钥;service_role仅用于服务器端代码
const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!)

High

高风险

app/api/checkout/route.ts:15
— Price taken from client request body
An attacker can set any price (including $0.01) by modifying the request. Prices must be looked up server-side.
typescript
// Before
const session = await stripe.checkout.sessions.create({
  line_items: [{ price_data: { unit_amount: req.body.price } }]
})

// After — look up the price server-side
const product = await db.products.findUnique({ where: { id: req.body.productId } })
const session = await stripe.checkout.sessions.create({
  line_items: [{ price: product.stripePriceId }]
})
app/api/checkout/route.ts:15
—— 价格取自客户端请求体
攻击者可通过修改请求设置任意价格(包括0.01美元)。价格必须在服务器端查询获取。
typescript
// 修复前
const session = await stripe.checkout.sessions.create({
  line_items: [{ price_data: { unit_amount: req.body.price } }]
})

// 修复后 —— 服务器端查询价格
const product = await db.products.findUnique({ where: { id: req.body.productId } })
const session = await stripe.checkout.sessions.create({
  line_items: [{ price: product.stripePriceId }]
})

Summary

总结

  1. Service role key exposed (Critical): Anyone can bypass all database security. Rotate the key immediately and move it to server-side only.
  2. Client-controlled pricing (High): Attackers can purchase at any price. Use server-side price lookup.
  1. 暴露的service role密钥(严重): 任何人都可绕过所有数据库安全限制。立即轮换密钥,并仅在服务器端使用。
  2. 客户端可控定价(高风险): 攻击者可任意价格购买商品。使用服务器端价格查询。

When Generating Code

生成代码时的规则

These rules also apply proactively. Before writing code that touches auth, payments, database access, API keys, or user data, consult the relevant reference file to avoid introducing the vulnerability in the first place. Prevention is better than detection.
这些规则同样适用于主动预防。在编写涉及认证、支付、数据库访问、API密钥或用户数据的代码前,参考相关参考文件,从一开始就避免引入漏洞。预防胜于检测。

References

参考文件

  • references/secrets-and-env.md
    — API keys, tokens, environment variable configuration, and 
    .gitignore
    rules.
  • references/database-security.md
    — Supabase RLS, Firebase Security Rules, and Convex auth patterns.
  • references/authentication.md
    — JWT verification, middleware, Server Actions, and session management.
  • references/rate-limiting.md
    — Rate limiting strategies and abuse prevention.
  • references/payments.md
    — Stripe security, webhook verification, and price validation.
  • references/mobile.md
    — React Native and Expo security: secure storage, API proxy, deep links.
  • references/ai-integration.md
    — LLM API key protection, usage caps, prompt injection, and output sanitization.
  • references/deployment.md
    — Production configuration, security headers, and environment separation.
  • references/data-access.md
    — SQL injection prevention, ORM safety, and input validation.
  • references/secrets-and-env.md
    —— API密钥、令牌、环境变量配置和
    .gitignore
    规则。
  • references/database-security.md
    —— Supabase RLS、Firebase安全规则和Convex认证模式。
  • references/authentication.md
    —— JWT验证、中间件、Server Actions和会话管理。
  • references/rate-limiting.md
    —— 速率限制策略与滥用防护。
  • references/payments.md
    —— Stripe安全、Webhook验证和价格验证。
  • references/mobile.md
    —— React Native和Expo安全:安全存储、API代理、深度链接。
  • references/ai-integration.md
    —— LLM API密钥防护、使用上限、提示注入和输出清理。
  • references/deployment.md
    —— 生产环境配置、安全头和环境隔离。
  • references/data-access.md
    —— SQL注入预防、ORM安全和输入验证。