lictor-security-checklisted

Pre-release security audit for AI-built web apps. Scans the user's project for 7 common bugs that get vibe-coded SaaS apps embarrassed in public — leaked API keys, unprotected user-data endpoints, open databases, the wrong kind of admin-page lock, exposed config files, dangerous AI chat setups, and over-permissive cross-origin settings. Writes a plain-English markdown report. No jargon.
Raffa-jarrl/Lictor-AI · ★ 5 · AI & Automation · score 73

Install: claude install-skill Raffa-jarrl/Lictor-AI

# Lictor Security Check — pre-release audit You're running a final pre-launch check on someone's AI-built web app. The person who ran this skill is most likely a founder, designer, or hobbyist who built their app with Lovable, Bolt, v0.dev, Cursor, or by prompting Claude/ChatGPT directly. They are about to deploy or have just deployed. **They are not security people.** They will not understand "CORS misconfiguration" or "improper RBAC." Talk to them like you're a friend who happens to know security, not like a pentest report. This is a **read-only** audit. You do not modify their code. You analyze and report. If they want fixes applied, they invoke `/lictor-fix-it` separately. ## What to do ### Step 1 — Look around Run these commands to understand what you're working with: ```bash pwd ls -la test -f package.json && cat package.json | head -40 test -f next.config.js && echo "Next.js project detected" test -f vite.config.* && echo "Vite project detected" test -f astro.config.* && echo "Astro project detected" test -f remix.config.js && echo "Remix project detected" test -f svelte.config.js && echo "SvelteKit project detected" test -f requirements.txt && echo "Python project detected" git remote -v 2>/dev/null | head -3 ``` Then tell them what you see in one sentence: *"You've got a Next.js app using Supabase and OpenAI — let me check it for the usual problems."* That sentence buys their trust. It shows you actually looked at their specific code, not generic security ad