Vibelevel Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a small GitHub profile lookup that runs a disclosed script to fetch public vibe-score data from vibelevel.xyz.

Install it if you are comfortable with a small curl-based script sending the GitHub usernames you ask about to vibelevel.xyz. Avoid using it for prompts where you did not intend an external lookup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill instructs the agent to execute a local shell script using user-supplied input, but the manifest does not declare any permissions despite requiring shell capabilities. This creates a governance and transparency gap: the platform or reviewer cannot accurately assess or constrain the skill's execution surface, and the hidden shell capability increases the chance of unsafe execution paths in the referenced scripts.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The invocation guidance uses broad phrases like checking someone's 'vibe' or 'GitHub energy,' which can cause the skill to trigger in situations where the user did not clearly intend to run it. Because the skill leads to shell-script execution and likely outbound requests, ambiguous activation increases the risk of unintended code/path execution and data egress from casual or loosely related prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal