AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious install-time behavior or credential exfiltration was found. Residual risk is an agent-facing MCP tool that can inject remote paired-user messages into responses and a user-invoked full-fork path with shell-command construction around git branch/ref names.
Decision evidence
public snapshot- setup.js user-invoked CLI writes Claude MCP config at ~/.claude.json or Claude app config
- setup.js registers npx -y slashvibe-mcp@latest in mcpServers.vibe
- index.js fetches /api/session/guest messages and injects them into MCP text responses
- tools/session.js full fork passes user args.branch to git bundle application
- tools/lib/git-apply.js and tools/lib/git-bundle.js use execSync with interpolated branch/ref values
- package.json has no npm lifecycle install/postinstall hooks
- Claude config mutation is only via explicit cli.js/setup.js path, not install-time
- network traffic is package-aligned to slashvibe.dev and user-configurable VIBE_API_URL
- auth tokens are read from ~/.vibe config and sent as Bearer tokens to package API
- tools/_work-context.js uses execFileSync with limits/redaction for git context collection
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
tools/_work-context.test.jsView on unpkg · L83GitHub personal access token in tools/_work-context.test.js
tools/_work-context.test.jsView on unpkg · L83Source combines credential-like environment material and outbound requests; review data flow before blocking.
tools/subscriptions.jsView on unpkg · L39Package ships non-JavaScript build or shell helper files.
hooks/check-guest-messages.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
tools/start.jsView on unpkgGitHub personal access token in tools/_work-context.manual-test.js
tools/_work-context.manual-test.jsView on unpkg · L77