🛡️ Vibe Audit: Production-grade checks for AI-generated code

🔍 Find security risks, scaling issues, and hidden bugs in AI-generated code before they hit production.

A structured audit across the risks that actually break products:

• 🔐 Security — auth flaws, exposed secrets, injection risks, LLM prompt injection, RAG document injection, PII in AI calls, unsafe agent tool use
• ✅ Quality — dead code, weak typing, AI anti-patterns
• ⚡ Performance — slow queries, cold starts, heavy bundles
• 📋 Compliance — Stripe, App Store, data access risks
• 🧪 Testing — missing coverage in critical flows

Built specifically for AI-generated code, not generic linting.

🎯 See exactly what's wrong and where

━━━━━━━━━━━━━━━━━━━━━━━━━━━  🔴 CRITICAL  ━━━━━━━━━━━━━━━━━━━━━━━━━━━

  [Security]  src/app/api/webhooks/stripe/route.ts:23
  Missing Stripe signature verification — any HTTP request can spoof a payment event
  Fix → const sig = headers.get('stripe-signature')
         await stripe.webhooks.constructEventAsync(body, sig, env.STRIPE_WEBHOOK_SECRET)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

• ✏️ Clear issue descriptions
• 🚦 Severity levels (critical, high, medium, low)
• 📍 Exact file and line references
• 🔧 Actionable fixes, not generic advice

No vague suggestions. Only concrete problems you can fix.

🚀 Install & Use

Claude Code

Step 1 — Install the plugin files:

npx vibe-code-audit install
# Select "Claude Code" when prompted

Step 2 — Open a project in Claude Code and run your first audit:

/audit

That's it. The commands are copied to ~/.claude/commands/ and are available immediately — no restart needed.

Alternative: Install via the Claude Code plugin marketplace instead:

/plugin marketplace add Shankulkarni/claude-plugin-marketplace
/plugin install vibeaudit@shankulkarni

Gemini CLI

Option 1 — via npm (recommended):

npx vibe-code-audit install
# Select "Gemini CLI" when prompted

Skills and AGENTS.md are copied to ~/.gemini/gemini/extensions/vibeaudit/. Open Gemini CLI and ask:

Run a vibeAudit security audit on this codebase.

Option 2 — install directly from GitHub:

gemini extension install Shankulkarni/vibe-audit

Codex

Step 1 — Install the plugin files:

npx vibe-code-audit install
# Select "Codex" when prompted

Skills and AGENTS.md are copied to ~/.codex/Codex/plugins/vibeaudit/. Codex has no slash commands — trigger the audit with a prompt:

Run a vibeAudit on this codebase. Follow the 7-step flow in AGENTS.md:
detect stack → check cache → quick scan → load skills → deep analysis → report → cache update.

Manage your installation

| Command | What it does | |---------|-------------| | npx vibe-code-audit install | Install into Claude Code, Gemini CLI, Codex, or Cursor | | npx vibe-code-audit status | Show which tools have vibeAudit installed and their version | | npx vibe-code-audit update | Pull latest from npm and re-sync plugin files | | npx vibe-code-audit uninstall | Remove vibeAudit from selected tools |

💻 Commands (Claude Code)

| Command | What It Does | |---------|-------------| | /audit | Full incremental audit — only re-audits changed files | | /audit:quick | Bash grep scan, ~5s, no AI tokens. Results marked [UNVERIFIED] | | /audit:full | Full re-audit of every file, bypasses cache | | /audit:security | Security dimension only — faster and more focused | | /audit:ci | CI gate — outputs JSON, exits 1 on Critical findings (blocks merge) | | /audit:report | Write findings to AUDIT_REPORT.md |

🧰 Stacks supported

Audits the stacks AI tools generate most frequently:

Skills load automatically based on your package.json — only what's relevant.

📚 Technical details

For architecture, caching layers, audit skills, and plugin internals:

• 🏗️ Architecture & caching
• 🔎 Audit skills reference
• 📊 Coverage & standards