DEV Community

Claude code
Claude code

Posted on

What Security Leaders Are Actually Getting Wrong About Vibe Coding (And What to Do Instead)

Vibe Coding Security Best Practices: What the Term Actually Means

Vibe coding security best practices are the controls and policies an engineering team applies when using AI coding agents — tools like Cursor, Claude Code, or Kiro — to generate, review, and deploy code at speed. The term covers three distinct layers: pre-execution scanning of agent Skills for supply chain threats, runtime permission scoping to limit what agents can read and write, and agent identity governance to establish who authorized what and when. Get all three right and AI-assisted development becomes a controlled workflow. Get any one of them wrong and you have an attack surface with no audit trail.

The baseline controls are pre-execution Skill scanning, runtime permission scoping, and agent identity governance. Most security leaders are implementing none of them — not because they are unaware of AI risk in the abstract, but because they are focused on the wrong layer entirely. They are auditing LLM outputs for quality, reviewing AI-generated code in pull requests, running SAST tools post-generation. Those controls matter for correctness. They do almost nothing for the threat introduced by executable Skills.

The Layer Everyone Is Missing: Executable Skills

AI coding agents execute instructions from files — markdown documents stored at paths like .cursor/rules/ or .claude/skills/. These are not just configuration. They are executable instruction sets that tell the agent what tools to call, what files to access, and how to behave across sessions. When a developer clones a repository or installs a community Skill pack, those files run with the same permissions as the agent itself. There is no install prompt, no code signing check, no permission dialog.

A malicious Skill file does not need to look malicious to cause damage. A real attack pattern: embed an instruction partway through a legitimate-looking workflow Skill that directs the agent to read ~/.ssh/id_rsa or ~/.aws/credentials and pass the contents to an outbound API call framed as a telemetry ping. Individually, each action — reading a file, making an HTTP request — is something the agent does routinely. The sequence is the attack.

In December 2025, researchers disclosed CVE-2025-59536, a critical vulnerability in Claude Code's subprocess handling that demonstrated how agent tool chains could be manipulated through crafted instructions. The disclosure was notable not because the underlying technique was novel, but because it confirmed what offensive researchers had been demonstrating privately: the Skill layer is a live attack surface, not a theoretical one.

Why Existing Scanners Are Not Enough

Some teams have deployed secret-scanning tools against their Skill directories. This is better than nothing, and it catches naive attacks — a hardcoded API key pasted directly into a Skill file. But markdown-based attacks are rarely that simple. Enkrypt AI's research found that most existing scanners truncate file analysis at roughly 3,000 characters. A Skill file crafted to place malicious instructions beyond that threshold passes a clean scan. Attackers who understand the tooling know exactly where to hide.

Runtime behavior compounds the gap. Even a Skill file that scans completely clean can be misused at execution time. An agent operating autonomously will, by default, read any file it is instructed to read. Without runtime guardrails, there is no policy enforcement preventing an agent from traversing ~/.ssh/, reading .env files across the repo, or accessing cloud credential stores. The Skill just has to ask.

Vibe Coding Security Best Practices Require Two Layers

The framing of "either scan or monitor" is wrong. Both controls are necessary and they cover fundamentally different threat windows.

  • Pre-execution scanning catches supply chain attacks embedded in Skill files before they run. It examines full file content — not just the first 3,000 characters — and flags instructions that match known attack patterns: credential exfiltration sequences, outbound data transfer disguised as agent behavior, obfuscated tool calls.

    • Runtime guardrails enforce policy during execution. They answer the question the scanner cannot: even if this Skill is clean, should this agent be allowed to read this file, call this endpoint, or execute this command right now, in this context?

Skill Sentinel is Enkrypt AI's open source scanner for the pre-execution layer. It integrates directly into development workflows for Cursor, Claude Code, Kiro, and platforms built on CrewAI, LangGraph, OpenAI SDK, and Vercel AI. The runtime guardrail layer sits above the agent execution environment and produces the audit log that is otherwise absent by default: which commands ran, which files were read, what data left the environment.

At Enkrypt AI, we built this two-layer approach after finding that neither layer alone was sufficient for teams running AI agents in production. The pre-execution scan gave confidence about what was installed. The runtime layer gave confidence about what was actually happening. Teams that deployed only one consistently had blind spots the other would have caught. You can explore the full approach at Enkrypt AI's Secure Vibe Coding solution page.

What Security Leaders Should Actually Be Asking

The right audit questions for any team running AI coding agents are concrete and operational:

  1. $1

    1. $1
    2. $1
    3. $1

Most teams cannot answer yes to all four. That is the actual security gap — not the quality of AI-generated code, but the absence of controls on the execution layer underneath it.

The teams getting this right are not necessarily the ones with the most sophisticated security programs. They are the ones who recognized early that AI agents are not just autocomplete tools but autonomous execution environments, and applied the same controls they would apply to any code running in their CI pipeline: scan it, scope its permissions, and log what it does.

If your team is deploying Cursor, Claude Code, Kiro, or any agent framework built on CrewAI, LangGraph, or the OpenAI SDK, the Skill attack surface is active in your environment right now. Securing your AI coding workflow starts with understanding that surface — and then applying controls at both layers.

Frequently Asked Questions

What are vibe coding security best practices?

Vibe coding security best practices are the controls applied to AI-assisted development workflows to prevent supply chain attacks and unauthorized agent behavior. The three baseline controls are: pre-execution scanning of agent Skill files for malicious instructions, runtime permission scoping to restrict what files and endpoints agents can access, and agent identity governance to maintain an audit trail of agent actions. Implementing all three is required — any single layer leaves exploitable gaps.

How do I scan Claude Code Skills before execution?

Claude Code Skills are stored as markdown files, typically under .claude/skills/. Skill Sentinel, an open source scanner from Enkrypt AI, analyzes these files to their full length before execution — addressing the truncation problem in generic secret scanners that stop reading at roughly 3,000 characters. It integrates into development workflows for Claude Code, Cursor, Kiro, and agent frameworks including CrewAI, LangGraph, and the OpenAI SDK. Running it as a pre-commit hook or CI gate ensures no unscanned Skill reaches an active agent session.

What is a malicious Skill file?

A malicious Skill file is a markdown instruction set for an AI coding agent that includes directives designed to exfiltrate credentials, execute unauthorized commands, or enable data theft — often disguised within otherwise legitimate workflow instructions. Because agents execute Skill files with their own permissions, a malicious Skill can instruct an agent to read ~/.ssh/id_rsa, ~/.aws/credentials, or .env files and transmit their contents to an external endpoint, all within what appears to be a normal multi-step agent task.

Does runtime governance replace pre-execution scanning?

No. Runtime guardrails and pre-execution scanning address different threats. Scanning catches malicious instructions in Skill files before they execute. Runtime governance enforces policy during execution — preventing even a clean Skill from reading credential files, making unexpected outbound calls, or performing actions outside its intended scope. A Skill can pass a clean scan and still be misused at runtime if no behavioral guardrails are in place. Both layers are required for complete coverage.

Which AI coding platforms does this apply to?

Any platform that executes agent Skills or markdown instruction files is in scope. This includes Cursor, Claude Code, Kiro, and agent frameworks built on CrewAI, LangGraph, OpenAI SDK, and Vercel AI. The Skill file format and storage conventions vary slightly by platform, but the underlying threat — executable markdown with no default policy enforcement — is consistent across all of them.

Top comments (0)