registry  /  @femmefatalerror/vibe-check  /  0.4.1

@femmefatalerror/vibe-check@0.4.1

You vibe-coded your agents. Time for a vibe check. Linter and security scanner for Claude skills, agents, and AI workspaces.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 138 KB of source, external domains: api.github.com, evil.example.net, example.com, github.com, raw.githubusercontent.com

Source & flagged code

6 flagged · loading source
README.mdView file
| `security/injection/override-attempt` | error | "Ignore previous instructions" style payload (defensive mentions are not flagged) |
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg
dist/test.jsView file
107patternName = github_pat severity = critical line = 107 matchedText = const pa...0');
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/test.jsView on unpkg · L107
107patternName = github_pat severity = critical line = 107 matchedText = const pa...0');
Critical
Secret Pattern

GitHub personal access token in dist/test.js

dist/test.jsView on unpkg · L107
114patternName = github_pat severity = critical line = 114 matchedText = const pa...0');
Critical
Secret Pattern

GitHub personal access token in dist/test.js

dist/test.jsView on unpkg · L114
233patternName = github_pat severity = critical line = 233 matchedText = fs.write...n');
Critical
Secret Pattern

GitHub personal access token in dist/test.js

dist/test.jsView on unpkg · L233
184patternName = generic_password severity = medium line = 184 matchedText = const fi...n');
Medium
Secret Pattern

Hardcoded password in dist/test.js

dist/test.jsView on unpkg · L184

Findings

4 Critical1 High3 Medium5 Low
CriticalCritical Secretdist/test.js
CriticalSecret Patterndist/test.js
CriticalSecret Patterndist/test.js
CriticalSecret Patterndist/test.js
HighAi Reviewer ManipulationREADME.md
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/test.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings