vibes
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a coherent social-status skill, with minor review notes because it runs an unpinned npm MCP package and sends posted messages to an external service.
The skill appears proportionate for a lightweight social presence feature. Before installing, be comfortable with it launching an npm MCP package via npx and with any /vibes message being sent to the external vibes service. Avoid posting private or sensitive information.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run a changing version of the MCP package, which could behave differently after future package updates.
The skill starts its MCP server using an npm package referenced as @latest, so the code backing the tool can change over time rather than being fixed to a reviewed version.
"mcp":{"command":"npx","args":["vibes-mcp@latest"],"env":{"VIBES_API_URL":"https://vibes-api.fly.dev"}}Prefer a pinned package version where possible, and verify that the npm package and homepage are the intended sources before installing.
Text posted through /vibes leaves the local agent and may be visible to others in the vibe feed for the stated ephemeral period.
The skill is designed to send user-provided vibe messages to an external service and show messages from other participants.
"VIBES_API_URL":"https://vibes-api.fly.dev" ... `/vibes "your message"` — Drop a vibe (max 140 chars)
Do not post secrets, private project details, credentials, or confidential information in vibe messages.