The Free Claude Code Skill That Finds Every Security Vulnerability in Your Vibe Coded App
62% of AI-generated code ships with critical vulnerabilities.
April 15, 2026
The Free Claude Code Skill That Finds Every Security Vulnerability in Your Vibe Coded App
62% of AI-generated code ships with critical vulnerabilities. Moltbook leaked 1.5 million authentication tokens in February 2026 because the founder vibe coded the entire app and didn’t know it was riddled with security holes. Here is the free Claude Code skill that scans your entire codebase with 8 AI security agents and finds every vulnerability before someone else does.
TL;DR
The /cybersecurity skill for Claude Code installs in one command and spawns 8 parallel specialist AI agents that audit your entire codebase for vulnerabilities. Covers CWE Top 25, OWASP Top 10:2025, MITRE ATT&CK threat patterns, 11 programming languages, and 4 infrastructure platforms. Delivers a 0-100 security score plus every vulnerability mapped to exact file and line with specific fixes. Free. Catches things GitHub Advanced Security ($49/committer/month) architecturally cannot detect.
The Vibe Coding Security Crisis
Something quietly terrifying is happening across the AI coding space. People who have never written a line of production code are shipping apps built entirely through vibe coding. Claude writes the backend. Cursor writes the frontend. Bolt generates the infrastructure. The app works, it looks good, and it goes live.
Then it gets hacked.
The research is stark. Checkmarx’s 2026 report on AI-generated code found that Claude, GPT, and other frontier models produce code with vulnerabilities 40-62% of the time. GuardMint tested vibe-coded apps in Q1 2026 and found that 60%+ of them had exposed API keys or database credentials sitting in public repositories or deployed code. Georgia Tech’s Vibe Security Radar tracked 35 new CVE entries directly caused by AI-generated code in March 2026 alone, up from just 6 in January.
The Moltbook breach is the most public example. Moltbook, a social network for AI agents, was built 100% through vibe coding. The founder wrote zero lines of code. Security firm Wiz discovered a misconfigured Supabase database with public read and write access. The breach exposed 1.5 million authentication tokens and 35,000 email addresses. The app looked great. It was not secure.
This is not a hypothetical risk. If you are shipping code that Claude wrote, your app has vulnerabilities right now. You just don’t know what they are.
What Is the /cybersecurity Claude Code Skill?
Claude Code supports custom skills defined as SKILL.md files in the ~/.claude/skills/ directory. The /cybersecurity skill, built by AgriciDaniel and released in April 2026, is a comprehensive AI-powered code security audit tool that runs entirely inside Claude Code.
Unlike traditional security scanners that use regex and static analysis, this skill spawns 8 specialist AI agents that each focus on a specific security dimension and read your code contextually. They run in parallel, not sequentially, so a full audit takes under 2 minutes.
The 8 agents:
- Vulnerability detection - 25 CWE Top 25 categories plus OWASP Top 10:2025
- Authorization verification - Context-aware access control checks
- Secret scanning - 84.4% recall including obfuscated secrets
- Supply chain analysis - Malicious packages, typosquats, compromised versions
- Infrastructure as Code - Terraform, Docker, Kubernetes, GitHub Actions
- Threat intelligence - MITRE ATT&CK patterns (T1059, T1027, T1071, T1195, T1005, T1041, T1496)
- AI-generated code patterns - Insecure patterns Claude and other models commonly produce
- Business logic flaws - Race conditions, privilege escalation, logic bugs
What you get: a 0-100 composite security score using a CVSS-aligned formula, every vulnerability mapped to the exact file and line, CVE severity ratings, and specific fixes for each issue.
How to Install and Run Your First Audit
Step 1: Install Claude Code
If you don’t already have Claude Code, install it: npm install -g @anthropic-ai/claude-code. Sign in with your Anthropic account.
Step 2: Install the /cybersecurity Skill
One-line install on Mac or Linux:
curl -fsSL https://raw.githubusercontent.com/AgriciDaniel/claude-cybersecurity/main/install.sh | bashOn Windows PowerShell:
irm https://raw.githubusercontent.com/AgriciDaniel/claude-cybersecurity/main/install.ps1 | iexNo API keys. No configuration. The skill auto-detects your stack (frontend, backend, infrastructure) and is ready to scan immediately.
Step 3: Run the Audit
Navigate to your project directory in the terminal, launch Claude Code, and type:
/cybersecurityClaude spawns 8 parallel agents. You will see each one posting findings as they work through your codebase. In under 2 minutes you get a full security report.
For faster, more targeted scans:
/cybersecurity --scope quickscans entry points + auth + secrets + deps only (~30 seconds)/cybersecurity --scope diffreviews only changed files (perfect for PR review)/cybersecurity --focus threatdeep dives into one specific dimension/cybersecurity --compliance pciadds PCI DSS, HIPAA, SOC 2, GDPR, or NIST 800-53 compliance mapping
What Vulnerabilities It Actually Finds
The top 5 vulnerabilities in vibe-coded apps, based on GuardMint’s Q1 2026 research:
CWE-798: Hardcoded Credentials. Stripe keys, OpenAI tokens, database passwords written directly into source files. The #1 vulnerability in AI-generated code. Fix: Move to environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler).
CWE-862: Missing Authorization. API endpoints that accept requests without checking if the user has permission. The Moltbook breach was essentially a variant of this. Fix: Add middleware that validates every request against user permissions, enforced at the route level.
CWE-89: SQL Injection. User input concatenated into database queries. Still common in AI-generated code because models frequently produce string-concatenation patterns. Fix: Use parameterized queries or an ORM.
CWE-79: Cross-Site Scripting (XSS). User input rendered into HTML without escaping. Fix: Sanitize all output, use framework-provided escaping (React does this by default, most others need explicit calls).
CWE-200: Sensitive Information Exposure. Error messages leaking stack traces, database schemas, or internal file paths to users. Fix: Generic error messages to users, detailed logs server-side only.
Why This Beats GitHub Advanced Security
GitHub Advanced Security (GHAS) is the enterprise standard for code security scanning. It costs $49 per active committer per month. For a 10-person team, that is $5,880 per year.
The /cybersecurity skill is free. But the real story is what it catches that GHAS does not:
| Capability | GHAS | /cybersecurity |
|---|---|---|
| Business logic flaw detection | No | Yes |
| Authorization enforcement verification | Basic | Context-aware |
| Race condition detection | Very limited | Concurrency pattern analysis |
| Languages supported | 12 | 16+ (any language) |
| IaC/Container/CI-CD scanning | No | Terraform, Docker, K8s, Actions |
| AI-generated code security | No | Specialized detection |
| Obfuscated secret detection | Regex only | Semantic understanding (84.4% recall) |
| Threat intelligence (malware/C2) | No | MITRE ATT&CK mapped |
| Framework-aware false-positive suppression | No | 10 frameworks |
| Cost | $49/committer/month | Free |
Static security scanners like GHAS, Snyk, and SonarCloud rely on pattern matching. They cannot understand that a specific function lacks authorization context or that two seemingly safe functions combine to create a privilege escalation path. The /cybersecurity skill uses AI agents that read code contextually, which is why it catches flaws static tools architecturally cannot.
Who Should Run This
Vibe coders and solo builders shipping apps built with Claude Code, Cursor, Bolt, or similar AI coding tools. You are the highest-risk population and you probably have the least security expertise.
Startup founders who had an agency or AI build their MVP. Before you onboard real customers or take their payment info, audit the code.
Agencies delivering client work. Run the audit before you ship and include the 0-100 score in your deliverable.
Anyone with a codebase that has not been audited by a human security expert in the last 6 months.
FAQ
Is this actually free? Yes. The skill itself is MIT-licensed open source. The only cost is your Claude Code usage, which has a generous free tier that handles security audits easily.
Can it fix vulnerabilities automatically? It identifies vulnerabilities with specific fixes, but does not auto-patch your code. This is intentional - security fixes should be reviewed by a human before deployment.
How does this compare to Snyk? Snyk focuses primarily on supply chain vulnerabilities (known-bad dependencies). The /cybersecurity skill covers supply chain too, but also handles business logic flaws, authorization, and AI-specific code patterns that Snyk does not.
Does it work with all programming languages? It has specialized pattern files for 11 languages (Python, JavaScript/TypeScript, Go, Rust, Java, C#, Ruby, PHP, Swift, Kotlin, and more) but can analyze any language contextually.
What about false positives? The skill includes framework-aware false-positive suppression for 10 common frameworks (React, Vue, Django, Rails, Express, Next.js, Laravel, Spring, etc.). This means it understands that React auto-escapes by default and will not flag XSS in properly-used JSX.
Can I run it in CI/CD?
Yes. The --scope diff flag makes it ideal for PR review. You can invoke it from a GitHub Action or any CI runner that has Claude Code installed.
This is day 54 of the Actionable AI Series. Comment “SECURE” on our latest video for the install link and audit walkthrough.