Claude Code skill audits vibe-coded apps against 50 security checks
`slopsec` is a Claude Code skill by u/lachy-dev that runs a structured security audit on AI-generated SaaS apps, covering 50 common vulnerabilities across 9 categories with severity scoring and a findings report.
Score breakdown
The skill packages a repeatable, severity-scored security audit directly into the Claude Code workflow, addressing the gap where AI-generated apps ship without any security review.
- 01Covers 50 documented vulnerability patterns common in AI-generated SaaS apps
- 02Organized into 9 categories including Secrets & Exposure, AuthN & AuthZ, Injection & Input, and an AI-specific category
- 03Uses a P0–P3 severity scoring system so the most critical issues are prioritized
`slopsec`, published on GitHub by u/lachy-dev, is a Claude Code skill that brings structured security auditing to the "vibe coding" workflow. The tool is built around 50 documented vulnerability patterns that commonly affect AI-generated apps, organized into a step-by-step checklist: scope the app, walk the checklist, prove the findings, prioritize by severity, fix, and re-verify. The README frames the motivation bluntly — unexpected cloud bills from exposed API keys and the reality that freshly launched apps can be probed by attackers within 3 hours of going live.
The skill ships as a folder of reference files: `SKILL.md` defines how to run an audit and its non-negotiables; `references/principles.md` documents all 50 principles with "what to look for" and "how to fix" guidance; `references/checklist.md` is a top-to-bottom tick-box audit; `references/severity.md` defines a P0–P3 scoring system so the most catastrophic issues surface first; and `references/report-template.md` provides a findings report format. The 9 audit categories span Secrets & Exposure, AuthN & AuthZ, Database & Storage, Injection & Input, Sessions/Tokens/Cookies, Frontend Trust Boundary, Rate Limiting & Exposure Surface, AI-specific issues, and Ops/Logging/Dependencies. Installation involves dropping the `slopsec/` folder into either a project-level `.claude/skills/slopsec/` directory or a personal `~/.claude/skills/slopsec/` path, after which the skill triggers on natural-language prompts like "run a security review before I launch."
Key facts
- 01Covers 50 documented vulnerability patterns common in AI-generated SaaS apps
- 02Organized into 9 categories including Secrets & Exposure, AuthN & AuthZ, Injection & Input, and an AI-specific category
- 03Uses a P0–P3 severity scoring system so the most critical issues are prioritized
- 04Ships with a checklist, per-principle fix guidance, and a findings report template
- 05README states freshly launched apps can be probed by attackers within 3 hours of going live
- 06Installed by dropping a folder into `.claude/skills/slopsec/` at the project or personal level
- 07Triggered by natural-language prompts to Claude such as 'run a security review before I launch'
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 16, 2026 · 23:11 UTC. How this works →