Claude Skills
Do you know your code is safe?
Your AI security auditor that scans your entire SaaS. 11 audit phases. OWASP Top 10 coverage. Supabase RLS verification. CVE cross-referencing. Secrets scanning. AI-code anti-patterns. One structured PASS/FAIL report with concrete fixes.
What it audits
11 audit phases. Zero configuration.
Point it at your app. The skill checks auth, Supabase, headers, secrets, input validation, infrastructure, data protection, dependencies, and AI-code patterns in a single pass.
Authentication & Authorization
Inventories every API route. Classifies each as auth-protected, token-based, or public. Verifies middleware exists and covers admin routes. Checks cookie flags, CSRF protection, and OAuth scope minimization.
Supabase Security
Queries pg_tables to verify RLS is enabled on every table. Runs the Supabase Security Advisor. Checks function search_path, SECURITY DEFINER isolation, and confirms your service role key never touches a client bundle.
Headers & Infrastructure
Verifies CSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy are present. Checks Vercel deployment protection, CORS configuration, rate limiting on public endpoints, and source maps disabled in production.
What makes it different
No "looks secure." Every check is PASS or FAIL.
It checks every CVE that matters.
Compares your Next.js, React, and NextAuth versions against CVE-2025-29927 (middleware bypass), CVE-2025-55182 (RCE, CVSS 10.0), CVE-2025-55183/55184 (DoS), and CVE-2026-27979. Not a generic scan - version-specific verification.
It greps for what AI tools leave behind.
AI-generated code has 2.74x more vulnerabilities than human code. The skill checks for Math.random() in security contexts, TypeScript "any" in auth paths, dead endpoints, hardcoded secrets, hidden Unicode in configs, and overly permissive defaults.
It maps everything to OWASP Top 10.
Every finding gets an OWASP category (A01 through A10), a severity level, a file path with line number, and a concrete fix. The report tells you exactly what to change, not just what is wrong.
It thinks like a SaaS attacker.
Tests multi-tenant isolation, cross-tenant data access, token brute-force resistance, PII leakage in API responses, and error messages that expose internals. Built from real breach analysis - 170+ Supabase apps exposed by missing RLS, 766 Next.js hosts breached via CVE-2025-55182.
How it works
One command. One security report.
Point it at your production or staging URL. It runs 11 phases automatically - from dependency CVEs to Supabase RLS, from secrets scanning to multi-tenant isolation.
# Output
SECURITY-AUDIT-2026-04-07.md
# OWASP Top 10 coverage, pass/fail per phase, P0-P3 fixes, Supabase advisor, verdict
Research foundation
30+ sources. No guesswork.
Built from security research by CrowdStrike, Datadog Security Labs, OWASP, the UK NCSC, Checkmarx, Endor Labs, GitGuardian, PortSwigger, and official docs from Supabase, Vercel, and Next.js. Every check is tied to a real CVE, a documented breach, or an industry best practice.
The full source list with URLs is included in the skill file - so you can verify every recommendation yourself.
Who it's for
Solo founders who vibe-code with AI and need to know nothing slipped through. Small teams that don't have a security audit budget. Anyone running a Next.js + Supabase app who plans to let paying users onto it.
Let it check before your users do.
Download skill (.zip)