Not a policy deck.
Every resource should give you a test, checklist, Skill, or workflow pattern you can use.
VibeSec Advisory publishes practical research, reusable Skills, workflow patterns, agent reviews, MCP notes, prompt injection tests, CLI security guides, AI red-team lessons, and market news for builders working with AI systems.
No pricing, SOWs, paid assessments, workshops, retainers, or service funnel. Just security-focused content you can use to test and improve what you are building.
Every resource should give you a test, checklist, Skill, or workflow pattern you can use.
Workflow controls come before tool recommendations.
Actions, approvals, and recovery paths stay visible before AI gets more authority.
VibeSec Advisory helps builders understand and test the risks created by agents, MCP servers, AI coding tools, prompt injection, and AI-generated workflows.
Browse the Skill LibraryEssays, checklists, Skills, and field notes for people building and testing AI systems.
Prompt rewrites should start with a mismatch log that records user intent, prompt wording, model interpretation, output, failure mode, downstream result, and the next control.
Read field noteAI agents should not delete logs, traces, worktrees, screenshots, temp files, or failed test output before review. Put a cleanup evidence hold in front of destructive actions so reviewers can prove what happened before anything disappears.
Read field noteAI coding agents should never read `.env` files, tokens, private keys, or secret values. Give agents scoped capabilities through reviewed tools, brokers, or MCP servers without putting credentials into prompt context, logs, traces, diffs, memory, or telemetry.
Read field notePeople are using copilots, agents, and MCP-connected tools inside live business processes. The question is no longer whether AI is being used. The question is whether the workflow has a baseline, reusable skills, permissions, review points, and a measurement loop.
Start with the process, owner, inputs, approvals, and failure modes before tools.
Good workflow review starts with the current metric, owner, and target state.
Human checkpoints, data boundaries, action limits, escalation, and security are mapped together.
Write down what you tested, what failed, what changed, and what still needs review.
The public front door is the research archive, the VibeSec Advisory Skill Library, and the workflow examples. Each resource should help you understand a risk, test an agent, review a tool, or improve a workflow.
Read field notes on agents, MCPs, prompt injection, AI coding tools, generated code, and practical security workflows.
Browse reusable AI workflow skills, guardrails, examples, and implementation patterns that show how governed work should be captured.
FORGE remains a historical and educational model for thinking about governed workflows. The active VibeSec Advisory direction is a free field guide for securing agentic AI.
Current workflow, owner, source system, pain point, and target metric.
Reusable instructions that capture how expert work should be done and reviewed.
Automation only where the tool boundary, action limit, and recovery path are known.
Data boundaries, approval gates, escalation rules, and security controls.
Triggers, cadence, dependencies, and failure handling for repeatable work.
Evidence, lessons, regression checks, and the next measurable improvement.
Capture reusable Skills, source boundaries, review gates, and test results so workflow knowledge compounds.
Map agents to concrete steps, owners, tools, review points, and failure modes before trusting automation.
Guardrails are designed as blast-radius controls, not vague policy language.
Every artifact should include a way to test, review, or improve the workflow.
Read the latest field notes, then use the Skills and workflow examples to test your own agentic AI systems.