vibekanban

Fail

Audited by Snyk on May 19, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 1.00). The documentation explicitly promotes permissive/“YOLO” agent modes (dangerously_skip_permissions, yolo, danger-full-access), remote pairing/control, arbitrary MCP server commands, PTY-backed terminals, copying of sensitive files (e.g., .env) into worktrees, and disabling cleanup — collectively enabling remote code execution, credential exposure, and supply-chain/local-exec abuse.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The docs explicitly instruct running "npx vibe-kanban" (and the MCP example "npx vibe-kanban@latest --mcp"), which fetches and executes remote package code from the npm registry (e.g. https://www.npmjs.com/package/vibe-kanban / https://github.com/BloopAI/vibe-kanban) at runtime, so this is a required external dependency that executes remote code.

Issues (2)

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 19, 2026, 06:38 AM
Issues
2
Security Audit — snyk — vibekanban