registry  /  slashvibe-mcp  /  0.5.14

slashvibe-mcp@0.5.14

Social layer for Claude Code - DMs, presence, Matrix multiplayer rooms, and connection between AI-assisted developers

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs setup/CLI or Claude invokes MCP tools such as vibe_start
Impact
Remote paired-user content can enter the agent context; a git-installed copy may update code from origin main during session start.
Mechanism
Claude MCP registration, remote guest-message injection, and git self-update
Policy narrative
When explicitly run, setup.js adds a vibe MCP server entry to Claude config using npx slashvibe-mcp@latest and stores OAuth config under ~/.vibe. During MCP runtime, index.js and presence.js poll slashvibe.dev for guest/session messages and append them to agent-visible responses with warnings. tools/start.js also auto-pulls a git checkout under ~/.vibe/vibe-repo when present.
Rationale
Static inspection found no lifecycle hook, broad credential harvesting, or non-product exfiltration, but the package exposes risky agent-control capabilities through Claude MCP integration and remote context injection. Because activation is user/runtime driven and package-aligned, warn rather than block.
Evidence
package.jsoncli.jssetup.jsindex.jspresence.jstools/start.jstools/_work-context.jstools/subscriptions.jsconfig.js~/.claude.json~/Library/Application Support/Claude/claude_desktop_config.json~/.config/claude/config.json~/.vibe/config.json~/.vibe/.session_<pid>~/.vibe/vibe-repo
Network endpoints5
www.slashvibe.devwww.slashvibe.dev/api/session/guestwww.slashvibe.dev/api/versionwww.slashvibe.dev/api/healthwww.slashvibe.dev/api/presence

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • setup.js user-invoked setup writes Claude MCP config with npx slashvibe-mcp@latest
  • index.js/presence.js fetch remote guest messages and inject them into MCP responses
  • tools/start.js can git fetch/pull ~/.vibe/vibe-repo on vibe_start
  • config.js persists OAuth/session tokens under ~/.vibe
Evidence against
  • package.json has no npm lifecycle hooks
  • setup.js is reached via bin/TTY setup, not install-time execution
  • Network calls target package-aligned slashvibe.dev APIs
  • tools/_work-context.js uses execFileSync for git and redacts token/secret patterns
  • tools/subscriptions.js sends stored token only as Authorization to configured API
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 243 file(s), 1.89 MB of source, external domains: api.neynar.com, api.pinata.cloud, api.telegram.org, api.twitter.com, basescan.org, bridge.vibe.network, conduit.xyz, discord.com, docs.neynar.com, docs.slashvibe.dev, eth.llamarpc.com, etherscan.io, example.com, explorer-testnet.vibe.network, explorer.vibe.network, fonts.googleapis.com, fonts.gstatic.com, github.com, graph.facebook.com, mainnet.base.org, my-project.vercel.app, neynar.com, opensea.io, rpc-testnet.vibe.network, rpc.vibe.network, sepolia.base.org, sepolia.basescan.org, slashvibe.dev, testnets.opensea.io, twitter.com, vibe.fyi, warpcast.com, www.slashvibe.dev, x.com, your-domain.com, yourapp.vercel.app

Source & flagged code

7 flagged · loading source
tools/_work-context.test.jsView file
83patternName = github_pat severity = critical line = 83 matchedText = const in...90';
Critical
Critical Secret

Package contains a critical-looking secret pattern.

tools/_work-context.test.jsView on unpkg · L83
83patternName = github_pat severity = critical line = 83 matchedText = const in...90';
Critical
Secret Pattern

GitHub personal access token in tools/_work-context.test.js

tools/_work-context.test.jsView on unpkg · L83
twitter.jsView file
39.update(signatureBaseString) L40: .digest('base64'); L41: } ... L80: async function xRequest(method, endpoint, params = {}, body = null) { L81: const baseUrl = 'https://api.twitter.com'; L82: const url = `${baseUrl}${endpoint}`; ... L89: const fetchUrl = method === 'GET' && Object.keys(params).length > 0 L90: ? `${url}?${new URLSearchParams(params)}` L91: : url;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

twitter.jsView on unpkg · L39
tools/subscriptions.jsView file
39const token = config.getToken(); L40: const apiUrl = process.env.VIBE_API_URL || 'https://www.slashvibe.dev'; L41: ... L51: L52: const result = await response.json(); L53: ... L72: `.trim(), L73: data: result L74: };
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

tools/subscriptions.jsView on unpkg · L39
hooks/check-guest-messages.shView file
path = hooks/check-guest-messages.sh kind = build_helper sizeBytes = 7800 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/check-guest-messages.shView on unpkg
tools/start.jsView file
matchType = previous_version_dangerous_delta matchedPackage = slashvibe-mcp@0.5.13 matchedIdentity = npm:c2xhc2h2aWJlLW1jcA:0.5.13 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

tools/start.jsView on unpkg
tools/_work-context.manual-test.jsView file
77patternName = github_pat severity = critical line = 77 matchedText = { input:...' },
Critical
Secret Pattern

GitHub personal access token in tools/_work-context.manual-test.js

tools/_work-context.manual-test.jsView on unpkg · L77

Findings

4 Critical1 High4 Medium5 Low
CriticalCritical Secrettools/_work-context.test.js
CriticalPrevious Version Dangerous Deltatools/start.js
CriticalSecret Patterntools/_work-context.test.js
CriticalSecret Patterntools/_work-context.manual-test.js
HighCredential Exfiltrationtools/subscriptions.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperhooks/check-guest-messages.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptotwitter.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings