vibes
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vibes Version: 1.0.0 The skill is classified as suspicious due to its reliance on `npx vibes-mcp@latest` for execution, as defined in `SKILL.md`. This mechanism fetches and executes the latest version of an external package from the npm registry, introducing a significant supply chain risk. While no explicit malicious intent is evident in the provided files, the dynamic nature of this dependency means the agent could execute arbitrary, potentially malicious code if the `vibes-mcp` package were compromised or updated maliciously.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run a changing version of the MCP package, which could behave differently after future package updates.
The skill starts its MCP server using an npm package referenced as @latest, so the code backing the tool can change over time rather than being fixed to a reviewed version.
"mcp":{"command":"npx","args":["vibes-mcp@latest"],"env":{"VIBES_API_URL":"https://vibes-api.fly.dev"}}Prefer a pinned package version where possible, and verify that the npm package and homepage are the intended sources before installing.
Text posted through /vibes leaves the local agent and may be visible to others in the vibe feed for the stated ephemeral period.
The skill is designed to send user-provided vibe messages to an external service and show messages from other participants.
"VIBES_API_URL":"https://vibes-api.fly.dev" ... `/vibes "your message"` — Drop a vibe (max 140 chars)
Do not post secrets, private project details, credentials, or confidential information in vibe messages.