vibes
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run a changing version of the MCP package, which could behave differently after future package updates.
The skill starts its MCP server using an npm package referenced as @latest, so the code backing the tool can change over time rather than being fixed to a reviewed version.
"mcp":{"command":"npx","args":["vibes-mcp@latest"],"env":{"VIBES_API_URL":"https://vibes-api.fly.dev"}}Prefer a pinned package version where possible, and verify that the npm package and homepage are the intended sources before installing.
Text posted through /vibes leaves the local agent and may be visible to others in the vibe feed for the stated ephemeral period.
The skill is designed to send user-provided vibe messages to an external service and show messages from other participants.
"VIBES_API_URL":"https://vibes-api.fly.dev" ... `/vibes "your message"` — Drop a vibe (max 140 chars)
Do not post secrets, private project details, credentials, or confidential information in vibe messages.