vibekanban
Fail
Audited by Snyk on May 19, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). The documentation explicitly promotes permissive/“YOLO” agent modes (dangerously_skip_permissions, yolo, danger-full-access), remote pairing/control, arbitrary MCP server commands, PTY-backed terminals, copying of sensitive files (e.g., .env) into worktrees, and disabling cleanup — collectively enabling remote code execution, credential exposure, and supply-chain/local-exec abuse.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The docs explicitly instruct running "npx vibe-kanban" (and the MCP example "npx vibe-kanban@latest --mcp"), which fetches and executes remote package code from the npm registry (e.g. https://www.npmjs.com/package/vibe-kanban / https://github.com/BloopAI/vibe-kanban) at runtime, so this is a required external dependency that executes remote code.
Issues (2)
E006
CRITICALMalicious code pattern detected in skill scripts.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata