Which compliance frameworks does it support?

The skill currently supports GDPR, PCI-DSS, and HIPAA compliance audits, mapping findings to specific regulation citations and security tags.

How does it handle false positives?

It performs a multi-step validation process, including verifying code evidence, tracing data flow for injections, checking rule scope, and identifying mitigating factors like security headers or framework defaults.

What is the difference between Full and Quick mode?

Full mode uses parallelized AI agents for a deep dive into all standards with validation, while Quick mode focuses only on critical/high severity rules for immediate release readiness verdicts.

Can it detect committed secrets?

Yes, the backend domain scanner specifically checks for hardcoded API keys, bearer tokens, and credentials in .env and config files, mapped to CWE-798 for consistent reporting.

It is a specialized Claude Code skill that runs security and compliance audits against VCP (Vibe Coding Protocol) standards to ensure code safety, architecture quality, and regulatory alignment.

VCP Code Security Audit

Name: VCP Code Security Audit
Author: Z-M-Huang

byZ-M-Huang

•

Security & Testing

Conducts automated, multi-standard security audits on codebases with real-time enforcement and false-positive validation.

The vcp-audit skill is a comprehensive security tool designed for the Vibe Coding Protocol (VCP), enabling developers to run deep scans against global compliance standards like GDPR, PCI-DSS, and HIPAA. By utilizing a multi-agent team mode, it parallelizes scanning across various domains—including backend, frontend, and architecture—while performing rigorous validation steps to filter out false positives. This skill is essential for maintaining production-grade security and ensuring release readiness through automated evidence collection, data flow tracing, and actionable fix suggestions.

Key Features

01Multi-standard compliance auditing for GDPR, PCI-DSS, and HIPAA.

02Parallelized scanning using multi-AI agent orchestration and domain partitioning.

03Automated false-positive validation via data flow tracing and mitigation checks.

04Real-time Quick Mode for rapid release readiness and critical vulnerability checks.

05Integrated secret scanning for committed credentials and exposed environment files.

067 GitHub stars

Use Cases

01Automating security architecture reviews during the AI-assisted development lifecycle.

02Verifying regulatory compliance before a major production software release.

03Identifying hardcoded secrets and security vulnerabilities in complex codebases.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add z-m-huang/vcp vcp-audit

For use in Claude.ai and ChatGPT