vibe-security-skill
Installation
SKILL.md
Vibe Security Skill
Acknowledgement: Shared by Peter Bamuhigire, techguypeter.com, +256 784 464178.
Baseline web-application and SaaS security skill. Produces the four contract artifacts — threat model, abuse case list, auth/authz matrix, secret handling plan — that downstream specialist skills (api-design-first, deployment-release-engineering, observability-monitoring, ai-security, llm-security) consume.
Use When
- Designing a new feature or service that handles authenticated users, personal data, money, or privileged actions.
- Reviewing a web application, REST or GraphQL API, webhook handler, or multi-tenant SaaS for security defects before release.
- Auditing AI-generated code for the blind spots it reliably creates (IDOR, plain-text secrets, missing webhook signatures, no rate limiting).
- Producing the threat model, abuse cases, auth/authz matrix, or secret plan that downstream design, delivery, and ops skills depend on.
Do Not Use When
- The feature is purely cosmetic with no data, auth, or privileged action — apply
practical-ui-designinstead. - The security concern is LLM-specific (prompt injection, context exfiltration, tool abuse) — load
llm-securityorai-security. - The task is CI/CD hardening (SBOM, scanner gates, runner isolation) — load
cicd-devsecops. - The task is full audit of an existing application — load
web-app-security-audit, which uses this skill's artifacts as inputs.