Vibe-Switch

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed local CLI orchestrator for running coding agents in separate Git worktrees, with expected cleanup and logging behavior.

Install only if you trust the npm package publisher and are comfortable with it spawning other coding-agent CLIs. Avoid sending sensitive repositories to non-sandboxed agents, and review or commit important work before running `vibe clean` because it is documented to remove completed task logs and worktrees.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation advertises `vibe clean` and related cleanup operations without an explicit warning that they remove Git worktrees and local state under `~/.vibe-switch/`. In a tool that creates sibling worktrees and persists logs/snapshots, unclear destructive behavior can cause accidental data loss, deletion of unmerged work, or removal of forensic/history artifacts a user expected to keep.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal