Security audit

Vibe Remote

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent helper for Vibe Remote, with disclosed but sensitive workflows around remote access, GitHub posting, passwords, and public media uploads.

Install and run Vibe Remote only from a trusted source, pair only trusted devices, and stop the remote session when finished. Avoid putting real passwords directly on command lines when possible. Review GitHub issue text and any screenshots or videos before posting or uploading, especially when using catbox or another public third-party host.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to upload images or videos to catbox.moe, a third-party file host, without warning that uploaded content may expose source code, screenshots, credentials, internal URLs, or other sensitive debugging artifacts to an external service. In a support/issue-filing workflow, users are especially likely to attach diagnostic material, so the omission creates a realistic privacy and data-leak risk even if the behavior is not overtly malicious.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal