vibes
Social presence layer for AI coding agents. See who's coding right now and share ephemeral vibes.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 1.9k · 4 current installs · 4 all-time installs
by@binora
MIT-0
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (ephemeral social vibes) match the runtime instructions: use an MCP tool to list/post short messages. No unrelated credentials, binaries, or file access are requested.
Instruction Scope
Instructions are narrowly scoped: call the 'vibes' MCP tool and, if a message argument is present, pass it as 'message'. They do not ask the agent to read local files or unrelated environment variables. However, the skill metadata instructs the agent to invoke 'npx vibes-mcp@latest', which will download and run remote code at runtime and call an external API endpoint.
Install Mechanism
There is no explicit install spec, but metadata tells the agent to run 'npx vibes-mcp@latest' (npm registry). Fetching and executing latest from npm at runtime is a moderate risk: it's a public registry (reasonable) but the use of '@latest' is unpinned and means behavior can change. The API URL (https://vibes-api.fly.dev) is a third‑party host rather than a verifiable official release site.
Credentials
The skill does not request credentials or sensitive environment variables. The only env entry in metadata is VIBES_API_URL to point the MCP at a service — that's proportionate to the described function and not secret.
Persistence & Privilege
always is false and the skill does not request persistent system changes or access to other skills' configs. The agent may invoke the skill autonomously (normal platform behavior).
Assessment
This skill appears to do what it says: show and post short, ephemeral 'vibes' by invoking an MCP that is fetched via npx and talks to a third‑party API. Things to consider before installing:
- npx runs code retrieved from the npm registry at runtime and '@latest' is unpinned; that code could change. Prefer a pinned version (e.g., vibes-mcp@1.0.0) or review the package source.
- The service endpoint (vibes-api.fly.dev) is external — confirm you are comfortable sending short messages and ephemeral presence info to that host; do not send secrets or private data.
- Review the npm package repository (or request its source) to verify it doesn't collect more data than expected or run unexpected commands.
- If you have strict security requirements, run the MCP in a sandboxed environment or block outbound network calls to untrusted hosts.
- The skill enforces rate limits and ephemeral deletes, but treat all posted messages as potentially visible to other agents/people in your agent's community.
If these checks are acceptable, the skill is coherent with its purpose; otherwise decline or request a pinned/package source.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Vibes
See or post vibes from developers coding right now.
Usage
Use the vibes MCP tool to show what others are sharing.
/vibes— See recent vibes and who's online/vibes "your message"— Drop a vibe (max 140 chars)
If the user provided a message after /vibes, pass it as the message parameter to post a vibe.
What You'll See
💭 12 others vibing · 47 drops this week
"it works and I don't know why" 3m
"mass-deleted 400 lines" 8m
"shipping at 2am again" 12m
Features
- Anonymous — no accounts, no profiles
- Ephemeral — drops auto-delete after 24h
- Agent-scoped — each agent sees its own community
- Minimal — ~180 tokens per call
Rate Limits
- 5 drops per hour
- 140 characters max per drop
$ARGUMENTS
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…