vibes

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent social feed integration, but users should treat posted messages as shared remote content and note that it launches an unpinned npm MCP package.

Install only if you are comfortable running an MCP server fetched through npm using @latest and sending /vibes messages to a third-party social feed. Do not post secrets, credentials, private project details, personal data, or confidential code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly encourages posting user-provided messages through a remote MCP-backed service, but it does not warn that submitted content is transmitted to an external endpoint and displayed to other users. This can cause users or downstream agents to disclose sensitive information under the false assumption that the command is local or private, especially because the skill emphasizes anonymity and ephemerality rather than data-sharing risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal