Vibe UI

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a disclosed local UI-design helper, with one user-triggered URL fetch feature that users should run only on trusted URLs.

Install only if you want a local DESIGN.md workflow that can overwrite or create project design files. Use extract-url only with public, trusted URLs, avoid internal network addresses, and review any extracted or imported DESIGN.md before applying it.

Publisher note

Vibe UI is a local-first DESIGN.md workflow skill. It ships curated DESIGN.md resources, style recommendation, like-style prompt generation, static preview/browser generation, draft URL/Figma/screenshot import, and local consistency reports. All referenced product styles are inspiration only; the skill does not claim affiliation or endorsement.

SkillSpector (2)

By NVIDIA

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The skill’s documented purpose is UI style selection and checking, but this command also ingests arbitrary remote or local HTML and turns it into a new DESIGN.md artifact. That expands the trust boundary and can cause users to import untrusted third-party content into their workflow, creating a supply-chain style risk and unexpected data flow that is not necessary for the core local design-checking task.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script performs arbitrary HTTP(S) fetches based on user-supplied input without host restrictions, confirmation, or safety controls. In agent or CI environments, this can enable unsolicited outbound requests, including access to internal-only endpoints or sensitive network locations, and can be abused for SSRF-like behavior, network probing, or retrieval of hostile content.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal