Vibe Kanban MCP
Security checks across malware telemetry and agentic risk
Overview
This is a coherent local Vibe Kanban helper, but it can change issues/workspaces and suggests an unpinned npx setup command, so users should confirm targets and package source before use.
Install this only if you want your agent to operate your local Vibe Kanban instance. Before allowing mutations, confirm the exact org/project/issue/repo/workspace IDs and consider pinning the vibe-kanban npm package instead of using latest.
VirusTotal
62/62 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong IDs, the agent could add or update Vibe Kanban tasks or start workspace sessions the user did not intend.
The skill documents mutating MCP operations, including creating/updating multiple issues and starting workspace sessions. This matches the skill purpose, but users should notice that it can change local project/workspace state.
Bulk-create 5 tasks quickly: ... mcporter call vibe_kanban.create_issue ... mcporter call vibe_kanban.update_issue ... Start a workspace session ... vibe_kanban.start_workspace_session
Require explicit user confirmation of project, issue, repository, and workspace IDs before create, update, bulk, link, or start-session actions.
The MCP server may run whichever vibe-kanban package version is current at setup or execution time.
The setup example points mcporter to run the latest npm package via npx. This is user-directed and purpose-aligned, but it is unpinned, so future package changes could affect the MCP server behavior.
mcporter config add vibe_kanban --command npx --arg -y --arg vibe-kanban@latest --arg --mcp
Prefer a pinned trusted package version or a reviewed local installation, and confirm the mcporter config points to the intended Vibe Kanban server.