registry  /  slashvibe-mcp  /  0.5.11

slashvibe-mcp@0.5.11

Social layer for Claude Code - DMs, presence, Matrix multiplayer rooms, and connection between AI-assisted developers

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious install-time behavior or credential exfiltration was found. Residual risk is an agent-facing MCP tool that can inject remote paired-user messages into responses and a user-invoked full-fork path with shell-command construction around git branch/ref names.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user invocation of setup, MCP tools, or vibe session fork --full
Impact
Potential prompt-injection exposure during collaboration and possible command injection if attacker-controlled branch/ref data reaches git execSync paths.
Mechanism
user-invoked MCP registration, remote message display, and git bundle application
Attack narrative
The package is a Claude/MCP social collaboration server. Its setup command can add itself to Claude MCP config and runtime tools communicate with slashvibe.dev, including displaying paired-user messages in MCP output. I found no lifecycle hook or automatic foreign control-surface mutation, but user-invoked full session forking downloads a bundle and applies it through execSync paths with interpolated branch/ref strings, creating unresolved command-execution risk rather than proven malware.
Rationale
Source inspection does not support a malicious verdict because risky Claude config writes are explicit setup behavior and network use is package-aligned. The git bundle application and remote message injection are real agent-facing risks, so warn rather than mark clean.
Evidence
package.jsoncli.jssetup.jsindex.jsconfig.jstools/start.jstools/session.jstools/lib/git-apply.jstools/lib/git-bundle.jstools/_work-context.js~/.claude.json~/Library/Application Support/Claude/claude_desktop_config.json~/.config/claude/config.json~/AppData/Roaming/Claude/claude_desktop_config.json~/.vibe/config.json~/.vibe/.session_<pid>
Network endpoints3
www.slashvibe.devslashvibe.devlocalhost:9876/callback

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • setup.js user-invoked CLI writes Claude MCP config at ~/.claude.json or Claude app config
  • setup.js registers npx -y slashvibe-mcp@latest in mcpServers.vibe
  • index.js fetches /api/session/guest messages and injects them into MCP text responses
  • tools/session.js full fork passes user args.branch to git bundle application
  • tools/lib/git-apply.js and tools/lib/git-bundle.js use execSync with interpolated branch/ref values
Evidence against
  • package.json has no npm lifecycle install/postinstall hooks
  • Claude config mutation is only via explicit cli.js/setup.js path, not install-time
  • network traffic is package-aligned to slashvibe.dev and user-configurable VIBE_API_URL
  • auth tokens are read from ~/.vibe config and sent as Bearer tokens to package API
  • tools/_work-context.js uses execFileSync with limits/redaction for git context collection
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 241 file(s), 1.86 MB of source, external domains: api.neynar.com, api.pinata.cloud, api.telegram.org, api.twitter.com, basescan.org, bridge.vibe.network, conduit.xyz, discord.com, docs.neynar.com, docs.slashvibe.dev, eth.llamarpc.com, etherscan.io, example.com, explorer-testnet.vibe.network, explorer.vibe.network, fonts.googleapis.com, fonts.gstatic.com, github.com, graph.facebook.com, mainnet.base.org, my-project.vercel.app, neynar.com, opensea.io, rpc-testnet.vibe.network, rpc.vibe.network, sepolia.base.org, sepolia.basescan.org, slashvibe.dev, testnets.opensea.io, twitter.com, vibe.fyi, warpcast.com, www.slashvibe.dev, x.com, your-domain.com, yourapp.vercel.app

Source & flagged code

7 flagged · loading source
tools/_work-context.test.jsView file
83patternName = github_pat severity = critical line = 83 matchedText = const in...90';
Critical
Critical Secret

Package contains a critical-looking secret pattern.

tools/_work-context.test.jsView on unpkg · L83
83patternName = github_pat severity = critical line = 83 matchedText = const in...90';
Critical
Secret Pattern

GitHub personal access token in tools/_work-context.test.js

tools/_work-context.test.jsView on unpkg · L83
twitter.jsView file
39.update(signatureBaseString) L40: .digest('base64'); L41: } ... L80: async function xRequest(method, endpoint, params = {}, body = null) { L81: const baseUrl = 'https://api.twitter.com'; L82: const url = `${baseUrl}${endpoint}`; ... L89: const fetchUrl = method === 'GET' && Object.keys(params).length > 0 L90: ? `${url}?${new URLSearchParams(params)}` L91: : url;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

twitter.jsView on unpkg · L39
tools/subscriptions.jsView file
39const token = config.getToken(); L40: const apiUrl = process.env.VIBE_API_URL || 'https://www.slashvibe.dev'; L41: ... L51: L52: const result = await response.json(); L53: ... L72: `.trim(), L73: data: result L74: };
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

tools/subscriptions.jsView on unpkg · L39
hooks/check-guest-messages.shView file
path = hooks/check-guest-messages.sh kind = build_helper sizeBytes = 7800 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/check-guest-messages.shView on unpkg
tools/start.jsView file
matchType = previous_version_dangerous_delta matchedPackage = slashvibe-mcp@0.5.10 matchedIdentity = npm:c2xhc2h2aWJlLW1jcA:0.5.10 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

tools/start.jsView on unpkg
tools/_work-context.manual-test.jsView file
77patternName = github_pat severity = critical line = 77 matchedText = { input:...' },
Critical
Secret Pattern

GitHub personal access token in tools/_work-context.manual-test.js

tools/_work-context.manual-test.jsView on unpkg · L77

Findings

4 Critical1 High4 Medium5 Low
CriticalCritical Secrettools/_work-context.test.js
CriticalPrevious Version Dangerous Deltatools/start.js
CriticalSecret Patterntools/_work-context.test.js
CriticalSecret Patterntools/_work-context.manual-test.js
HighCredential Exfiltrationtools/subscriptions.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperhooks/check-guest-messages.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptotwitter.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings