Is binora/vibes safe?

https://github.com/openclaw/skills/tree/main/skills/binora/vibes

77
CAUTION

The vibes skill's SKILL.md is benign with no prompt injection, and installation was clean. The primary risks are runtime: the MCP server is loaded via 'npx vibes-mcp@latest' (a floating npm dependency that executes with full agent permissions and is never audited), user messages are transmitted to an external fly.io endpoint with no disclosed privacy guarantees, and other users' vibe posts are injected as third-party content into the agent's context window where they could carry prompt injection payloads. The skill is not malicious as shipped, but its architecture creates meaningful supply chain and data-exposure attack surfaces.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 63/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (6)

HIGH Floating @latest npm dependency executes at runtime -40

The MCP server is configured as 'npx vibes-mcp@latest'. This means every invocation downloads and runs whatever version is currently published to npm as 'latest'. A supply chain compromise of the vibes-mcp package — npm account takeover, malicious maintainer, or typosquatting of a future rename — would result in arbitrary code executing with the agent's full OS permissions the next time a user runs /vibes.

MEDIUM User messages transmitted to third-party API endpoint -25

When a user invokes '/vibes "message"', the message content is sent to https://vibes-api.fly.dev via the MCP server. There is no disclosed privacy policy, data retention period, or indication of what server-side logging occurs. The service could associate messages with IP addresses, agent identifiers, or session metadata.

MEDIUM Third-party vibe content injected into agent context window -30

The /vibes command retrieves and displays messages posted by other users. These are attacker-controlled strings that appear inside the agent's context. A motivated attacker could craft vibe messages containing prompt injection payloads targeting agents that read them (e.g., instructions disguised as developer humor that alter agent behavior).

MEDIUM MCP server is an opaque binary with agent-level permissions -20

The vibes-mcp npm package runs as a local process with the same filesystem and network access as the agent. Its source code is not bundled in the skill repository and was not audited during installation. The MCP protocol does not sandbox what the server process can access between tool calls.

LOW IP and connection metadata exposed to vibes-api.fly.dev on every invocation -12

Even a read-only /vibes call (no message) makes an outbound HTTPS connection to vibes-api.fly.dev, exposing the agent host's IP address. The 'anonymous' claim in the skill description refers to lack of user accounts, not network-level anonymity.

INFO Installation was clean with no unexpected behavior 0

The skill contains only SKILL.md and _meta.json. Installation was a standard sparse git checkout with no process spawning, no filesystem writes outside the target directory, and no unexpected network connections.