The 80% Problem

You don’t need a third-party DAST scanner or a live security service for baseline coverage.

Claude Skills can review your code for the majority of common vulnerabilities. Secrets in source. SQL injection. XSS. Input validation issues. It does this well, and it does it fast.

But here’s the gap that nobody talks about: Claude Skills are blind to runtime behavior.

What Claude Skills Actually Do Well

Let’s be clear about where Skills shine:

• Secrets detection - API keys, passwords, tokens in your codebase
• SQL injection patterns - parameterized queries, raw string concatenation
• XSS vulnerabilities - unescaped output, dangerous innerHTML usage
• Basic auth flow review - session handling, token storage patterns

For a vibe-coded app, this baseline coverage is significant. You don’t need to hire a security expert or set up complex tooling to catch these issues.

Gap #1: No Real Browser Testing

Here’s what Claude Skills can’t do: actually run your app in a browser.

Without real browser automation, you can’t verify:

• Whether your CORS headers actually block cross-origin requests
• If your CSP policy breaks legitimate functionality
• How your auth flow behaves under real session conditions
• What happens when JavaScript manipulates the DOM

This is where DAST tools and Playwright come in. They execute your app, click buttons, fill forms, and observe actual behavior.

Static code review catches the pattern. Dynamic testing catches the reality.

Gap #2: No Continuous Monitoring

A mature application doesn’t just get tested once.

Every single change needs basic scenario validation. Does your dashboard still load? Do notifications fire? Does the happy path still work?

Claude Skills are point-in-time reviews. They don’t watch your app after deployment. They don’t alert you when a dependency update breaks authentication.

This is what separates a production-ready app from something vibe-coded in a week.

Gap #3: Edge Cases and Small Details

The first iteration of any vibe-coded app misses edge cases. That’s normal.

But catching those edge cases requires:

• Multi-user testing scenarios
• Boundary condition checks
• Error state validation
• Race condition detection

This is tedious work that boilerplate code can’t cover. And it’s exactly where security vulnerabilities hide - in the edge cases that nobody thought to test.

The Fix: Playwright Security Tests

You can close these gaps without expensive tools.

Ask Claude to write Playwright tests with security assertions. This gives you:

• Real browser execution
• Multi-user scenario testing
• CI integration for continuous monitoring
• Assertion-based validation of security properties

Example security assertions you can include:

• Verify response headers (CSP, CORS, X-Frame-Options)
• Test multi-tenant isolation (user A can’t see user B’s data)
• Validate notification and email flows
• Check error handling doesn’t leak information

This isn’t a replacement for professional penetration testing. But it’s dramatically better than static review alone.

The Practical Stack

For vibe-coded web apps, here’s what actually works:

1. Claude Skills for baseline code review (secrets, injection, XSS)
2. Playwright tests for runtime security assertions
3. CI integration for continuous monitoring on every change
4. Manual review for complex business logic and edge cases

You don’t need to hire a security team. You don’t need expensive DAST subscriptions. But you do need more than just static code review.

Key Takeaways