Vibe Auditor -- Audit & Auto-Fix Your Vibe-Coded Projects

You vibed.
Now ship.

A Claude Code plugin that audits your AI-generated code and auto-fixes it. Security flaws, missing auth, hardcoded secrets -- gone in one command.

npx claude-plugins install vibecheck

Built for the Claude Code Hackathon · Feb 2026 · Open Source

Under the hood

The Demo

One command. Full pipeline.

[scan] Analyzing 47 files... [audit] 53 issues found 12 critical | 18 high | 14 medium | 9 low [fix] Auto-fixing 39 issues... [test] Generating 50 regression tests... [done] 50 tests passing Score: F → B+

SECURITY

Security

OWASP Top 10 coverage

SQLi

XSS

SSRF

CMDi

Path

NoSQL

Access control

Auth guards

IDOR

Priv. escalation

Sessions

secret-hunter

Zero leaked keys

AWS_SECRET_ACCESS_KEY**** STRIPE_SK_LIVE**** JWT_SECRET**** PRIVATE_KEY**** DATABASE_URL****

50 tests.
No mocks. No stubs.

prevents SQL injection on /users/:id blocks XSS in comment body validates auth on admin routes sanitizes file upload names rate limits login endpoint

// vibe preservation

Your code stays YOUR code.

Same names, same structure, same style. We fix the SQL injection, not your naming conventions.

14-db.query(`SELECT * FROM users WHERE id = ${req.params.id}`);

14+db.query('SELECT * FROM users WHERE id = ?', [req.params.id]);

Two commands. That's it.

copy

/vibecheck # Audit only

/vibecheck --fix # Audit + auto-fix

See the fix.

SQL injection becomes a parameterized query -- your code, your style, zero breakage.

routes/users.js Vulnerable

121314151617

app.get('/users/:id', (req, res) => {
  const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
  db.query(query, (err, result) => {
    res.json(result);
  });
});

→

fixed

routes/users.js Secure