registry  /  @yagyeshvyas/vibeguard  /  1.3.0

@yagyeshvyas/vibeguard@1.3.0

Security scanner + AI agent firewall. Blocks secret/PII exfiltration in real time. 752 rules, 82 MCP tools (agent-scan, mcp-audit, guard-action, generate-sbom, dep-reachability, license-compliance), AST taint analysis. Offline, zero telemetry, zero depend

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Explicit setup persists an MCP server into AI-client configuration. Its default server command resolves an unscoped, version-unpinned npm package on later agent startup.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `vibeguard install` or the explicit auto setup workflow.
Impact
A configured agent may later execute a substituted or changed registry package.
Mechanism
AI-agent config and hook mutation using unpinned `npx`.
Rationale
No concrete malware, exfiltration, or active install-time payload is present in the inspected archive. However, explicit agent-extension setup writes persistent configurations that invoke an unpinned, mismatched package name, which warrants a warning.
Evidence
package.jsonsrc/install.jssrc/hook.jssrc/mcp-audit.js.mcp.json~/.cursor/mcp.json~/.codex/config.toml.claude/settings.json

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • `src/install.js` writes MCP entries for detected AI clients when `vibeguard install` is invoked.
  • The configured command is unpinned `npx -y vibeguard mcp`, while this archive is `@yagyeshvyas/vibeguard`.
  • `src/hook.js` can add a project `.claude/settings.json` PostToolUse command hook through explicit setup.
Evidence against
  • `package.json` references `scripts/postinstall.js`, but that file is absent from the archive.
  • `src/mcp-audit.js` uses invisible Unicode only in a detector regex for hostile config content.
  • Reviewed network code performs user-invoked URL/CVE scanning; no secret-exfiltration path was confirmed.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 1.03 MB of source, external domains: 127.0.0.1, 169.254.169.254, api.openai.com, api.osv.dev, api.stripe.com, fonts.gstatic.com, github.com, json.schemastore.org, osv.dev, registry.npmjs.org, trivy.dev, www.w3.org, your-site.com, yourapp.com, yourdomain.com

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
| **Layer 1: Regex threats** | Exact pattern matching for known injection patterns | Blocks `ignore previous instructions`, `you are now`, DAN, markup injection, etc. |
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg
bin/cli.jsView file
1206- Use CSP headers (no unsafe-inline/unsafe-eval) L1207: - Never pass user input to exec() or spawn() without sanitization L1208: - For AI agents: add maxSteps, sandbox file access, allowlist commands
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L1206
51function printHelp() { L52: process.stdout.write(` L53: VibeGuard — offline security scanner for AI-generated code. ... L187: if (exists('docker-compose.yml') || exists('docker-compose.yaml')) return 'fullstack'; L188: if (exists('package.json')) { L189: try { L190: const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8')); L191: const deps = { ...pkg.dependencies, ...pkg.devDependencies }; ... L501: if (!target || target === '.') { L502: process.stderr.write('usage: vibeguard url <https://your-site.com>\n'); L503: return 2; ... L683: }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

bin/cli.jsView on unpkg · L51
1206- Use CSP headers (no unsafe-inline/unsafe-eval) L1207: - Never pass user input to exec() or spawn() without sanitization L1208: - For AI agents: add maxSteps, sandbox file access, allowlist commands L1209: - For AI prompts: never put user input in the system prompt L1210: - Run: npx vibeguard scan . before committing L1211:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L1206
3L4: const fs = require('fs'); L5: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cli.jsView on unpkg · L3
51function printHelp() { L52: process.stdout.write(` L53: VibeGuard — offline security scanner for AI-generated code. ... L187: if (exists('docker-compose.yml') || exists('docker-compose.yaml')) return 'fullstack'; L188: if (exists('package.json')) { L189: try { L190: const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8')); L191: const deps = { ...pkg.dependencies, ...pkg.devDependencies }; ... L501: if (!target || target === '.') { L502: process.stderr.write('usage: vibeguard url <https://your-site.com>\n'); L503: return 2; ... L683: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/cli.jsView on unpkg · L51
1193- Never hardcode secrets — use environment variables L1194: - Never use eval() or new Function() with user input L1195: - Never concatenate SQL strings — use parameterized queries
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/cli.jsView on unpkg · L1193
src/scanner.jsView file
34const p = path.join(root, name); L35: if (fs.existsSync(p)) return JSON.parse(fs.readFileSync(p, 'utf8')); L36: } catch { ... L91: try { L92: const { execFileSync } = require('child_process'); L93: const out = execFileSync('git', ['diff', '--cached', '--name-only', '--diff-filter=ACM'], { ... L390: L391: // package.json present but no lockfile -> non-reproducible installs. L392: if (fs.existsSync(path.join(root, 'package.json'))) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/scanner.jsView on unpkg · L34
src/mcp-audit.jsView file
40contains invisible/control Unicode U+200B (zero width space) const HIDDEN_CHARS_RE = /[<U+200B>-<U+200F><U+202A>-<U+202E><U+2066>-<U+2069><U+FEFF>]/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

src/mcp-audit.jsView on unpkg · L40
Trigger-reachable chain: manifest.bin -> bin/cli.js -> src/mcp-audit.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/mcp-audit.jsView on unpkg
src/shell-hook.ps1View file
path = src/shell-hook.ps1 kind = build_helper sizeBytes = 4970 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/shell-hook.ps1View on unpkg
src/rules.jsView file
36patternName = generic_password severity = medium line = 36 matchedText = // templ...ion.
Medium
Secret Pattern

Hardcoded password in src/rules.js

src/rules.jsView on unpkg · L36

Findings

2 Critical6 High8 Medium8 Low
CriticalTrojan Source Unicodesrc/mcp-audit.js
CriticalTrigger Reachable Dangerous Capabilitysrc/mcp-audit.js
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
HighChild Processbin/cli.js
HighShell
HighCloud Metadata Accessbin/cli.js
HighRuntime Package Installbin/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/cli.js
MediumShips Build Helpersrc/shell-hook.ps1
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/rules.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalbin/cli.js
LowWeak Cryptosrc/scanner.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings