/install nerua1-vibe-safe-starter
VibeSafe Starter — Your First Security Pack
3 files. 2 minutes. No more "it works on my machine" disasters.
You vibe-code with AI agents. Cool. But here's what AI won't tell you: 67% of npm packages used in AI-generated projects have known vulnerabilities. The AI doesn't check. It just imports.
This starter pack catches the obvious stuff before it catches you.
What You're Risking (Right Now)
Every time an AI agent writes npm install or pip install without checking:
| Risk | Reality |
|---|---|
| Known CVEs | Public vulnerabilities that attackers already exploit |
| Abandoned packages | Last updated in 2022. No fixes coming. |
| Credential leaks | .env files committed to git. API keys in code. |
| Supply chain attacks | Malicious packages that look legitimate |
| Unmaintained dependencies | 47% of npm packages have no active maintainer |
One vulnerable dependency → your entire project is compromised.
The Fix (3 Files)
1. .github/workflows/security.yml
Drop this into any repo. Runs on every push.
2. audit.sh
Run before npm install. Catches critical CVEs.
3. checklib.sh
Check a library before adding it to your project.
Quick Start
# Clone into your project
git clone https://github.com/nerua1/vibe-safe-starter.git
cp vibe-safe-starter/.github/workflows/security.yml .github/workflows/
cp vibe-safe-starter/audit.sh .
cp vibe-safe-starter/checklib.sh .
chmod +x audit.sh checklib.sh
# Check a library before installing
./checklib.sh react
./checklib.sh flask
# Audit your dependencies
./audit.sh
The Numbers
- 67% of AI-suggested npm packages have known vulnerabilities
- 47% of npm packages are unmaintained
- 1 in 10 GitHub repos leak credentials
- Average CVE goes undetected for 208 days before disclosure
Your AI agent will happily install all of them. This pack won't.
Extend It
This is the minimum. If you want more:
| Need | Solution |
|---|---|
| VS Code integration | VibeSafe Extension |
| AI-powered risk explanation | VibeSafe AI Explain |
| Multi-agent HARNESS | VibeSafe HARNESS §14 |
| Full audit pipeline | VibeSafe Full |
| Dashboard | vibe-safe/tools/dashboard.py --html |
Philosophy
- 80/20 rule: Catch 80% of risks with 20% of effort
- Non-blocking: Suggests, doesn't block your flow
- Zero config: Drop in, works immediately
- Minimal: 3 files. No frameworks. No databases.
Built by nerua1. ⭐ Star if this saves you from a security incident.
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nerua1-vibe-safe-starter - After installation, invoke the skill by name or use
/nerua1-vibe-safe-starter - Provide required inputs per the skill's parameter spec and get structured output
What is VibeSafe Starter — Minimum Security for Vibe Coders?
Provides a minimal, zero-config security starter pack for Vibe coders to detect known vulnerabilities, unmaintained packages, and credential leaks before ins... It is an AI Agent Skill for Claude Code / OpenClaw, with 22 downloads so far.
How do I install VibeSafe Starter — Minimum Security for Vibe Coders?
Run "/install nerua1-vibe-safe-starter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is VibeSafe Starter — Minimum Security for Vibe Coders free?
Yes, VibeSafe Starter — Minimum Security for Vibe Coders is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does VibeSafe Starter — Minimum Security for Vibe Coders support?
VibeSafe Starter — Minimum Security for Vibe Coders is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created VibeSafe Starter — Minimum Security for Vibe Coders?
It is built and maintained by nerua1 (@nerua1); the current version is v1.0.0.