Revibe Codes
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Revibe Codes appears aligned with its advertised repo-analysis purpose, but it sends repository data to Revibe and saves reusable local context, so use it only for repositories you are comfortable sharing.
Before installing, make sure you are allowed to share the target repository with Revibe, especially for private or proprietary code. Review Revibe’s privacy/retention terms, protect the REVIBE_API_KEY, and only enable the optional curl allowed-tools shortcut if you are comfortable reducing prompts for Revibe API calls.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the key may be able to use the user’s Revibe account or quota.
The skill uses a service API key, which is expected for Revibe access, but it is still a credential users should protect and scope appropriately.
**REVIBE_API_KEY** (required): API key for authentication... Sent as `X-Revibe-Key` header.
Use a dedicated Revibe API key if possible, keep it out of logs and shared files, and revoke it if no longer needed.
Repository contents may leave the local environment and be stored by Revibe’s infrastructure.
The external data flow and cloud storage of repository source code are clearly disclosed and purpose-aligned, but they are sensitive for private or proprietary repositories.
This skill sends your repository's GitHub URL to revibe.codes for analysis. Source code is stored securely in Google Cloud Storage...
Review Revibe’s privacy and retention terms before using this on private, proprietary, regulated, or customer-owned code.
Future tasks may rely on the saved agent_context.json, which could include sensitive architectural details or stale/incorrect assumptions.
The skill creates persistent local context that future agent actions or other skills may reuse.
Always save the agent context file after showing the summary... This file gives the agent (and other skills) structured codebase understanding for future tasks.
Review or delete agent_context.json when working with sensitive repositories or when the analysis becomes outdated.
If enabled, future Revibe API calls may require less interactive confirmation.
This is an optional, disclosed tool-permission relaxation scoped to Revibe curl calls; it is useful for the workflow but lowers approval friction.
To reduce permission prompts, you can optionally add `Bash(curl *revibe.codes*)` to your allowed tools via `/allowed-tools`.
Only add the allowed-tools rule if you are comfortable with repeated Revibe network calls, and remove it when no longer needed.