← Back to Skills Marketplace
tkuehnl

vibe-check

by Todd Kuehnl · GitHub ↗ · v0.2.1
cross-platform ✓ Security Clean
800
Downloads
0
Stars
5
Active Installs
7
Versions
Install in OpenClaw
/install vibe-check
Description
Audit code for "vibe coding sins" — patterns that indicate AI-generated code was accepted without proper review. Produces a scored report card with fix sugge...
Usage Guidance
This skill is internally consistent with its purpose: it reads your repo, runs local heuristics, and — if you configure ANTHROPIC_API_KEY or OPENAI_API_KEY — sends file contents to those third-party LLM endpoints for richer analysis. Before installing/using it, consider: 1) Do not set an LLM API key if you are scanning sensitive repos (secrets, proprietary code) — you can run it in heuristic mode by unsetting those env vars. 2) The tool only emits unified-diff suggestions and does not auto-apply them, but you should manually review any suggested fixes before applying. 3) Confirm you are comfortable with the agent being allowed to run the supplied scripts (they read files and may call network endpoints). 4) Note minor metadata inconsistencies (declared env vars absent from registry metadata; SKILL.md version differs from registry version) — these are not malicious but worth verifying with the publisher if you need strong provenance. If you need more assurance, inspect the included scripts locally and run them in a controlled environment (sandbox or test repo) with LLM keys unset.
Capability Analysis
Type: OpenClaw Skill Name: vibe-check Version: 0.2.1 The OpenClaw AgentSkills 'vibe-check' skill is a code auditing tool designed to identify 'vibe coding sins' and security vulnerabilities in user-provided code. The skill's scripts (`vibe-check.sh`, `analyze.sh`, `report.sh`, `git-diff.sh`, `common.sh`) demonstrate robust shell scripting practices, including `set -euo pipefail`, proper quoting of variables, and safe path resolution. Crucially, `analyze.sh` uses `python3 -c "import json, sys; print(json.dumps(prompt))"` to safely JSON-escape file content before sending it to LLM APIs, mitigating prompt injection risks from the analyzed code. The `SECURITY.md` and `README.md` clearly state the skill's read-only nature, human-in-the-loop fix suggestions, and transparently disclose network behavior (sending code to LLMs). The `test_samples/bad_api.py` file, while containing severe vulnerabilities like RCE via `eval()` and SQL injection, is a test case for the skill's detection capabilities and is not executed by the skill itself. There is no evidence of intentional harmful behavior or self-exploitation.
Capability Assessment
Purpose & Capability
Name/description (vibe-check: audit code for 'vibe coding sins') match the included scripts and report generation. The scripts implement LLM-backed analysis, diff-mode, and --fix suggestion generation which are all coherent with the stated purpose. Minor metadata inconsistencies: SKILL.md and some files call out/expect ANTHROPIC_API_KEY or OPENAI_API_KEY and VIBE_CHECK_BATCH_SIZE, but the registry metadata listed no required env vars — those API keys are optional at runtime but necessary for the LLM-powered mode. SKILL.md also lists version 0.1.1 while the registry shows 0.2.1 (harmless but inconsistent).
Instruction Scope
The runtime instructions tell the agent to run the included shell scripts which: discover and read repository source files (or git diffs), build prompts containing the full file contents and call external LLM APIs (anthropic/openai) using curl. That means source code (including any secrets or credentials present in files) will be transmitted to third-party APIs when API keys are configured. This behavior is expected for an LLM-based auditor, but it is a data-exfiltration/privacy risk that must be accepted consciously. The scripts otherwise stay within scope (they read files, produce reports, and do not auto-apply fixes or push changes).
Install Mechanism
No install spec is provided (instruction-only skill plus shipped scripts). Nothing in the manifest performs network downloads or extracts external archives. The code is included in the skill bundle and executed locally; no high-risk install steps were found.
Credentials
The skill does not request unrelated credentials. It optionally uses ANTHROPIC_API_KEY or OPENAI_API_KEY (appropriate for an LLM-backed auditor) and a tuning var VIBE_CHECK_BATCH_SIZE. The registry metadata omitted these optional environment variables; the README and scripts clearly document them as optional. Requiring user LLM API keys is proportionate to the tool's stated LLM capability but increases the risk that repository contents are sent to those providers.
Persistence & Privilege
always: false and default agent invocation settings are used. The skill does not request permanent presence, does not attempt to modify other skills or system-wide agent settings, and does not auto-apply patches or perform git operations. It writes a report file only when --output is specified by the user.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install vibe-check
  3. After installation, invoke the skill by name or use /vibe-check
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
Rebrand to Anvil AI. Remove CacheForge marketing copy. Normalize install commands.
v0.2.0
Republish — metadata refresh, force re-index
v0.1.4
Docs: normalize CacheForge footer and CTA.
v0.1.3
Launch: CacheForge skills wave 1. Discord v2 delivery, security hardened, production-grade.
v0.1.2
Launch: CacheForge skills wave 1. Discord v2 delivery, security hardened, production-grade.
v0.0.1
No changes detected in this version. - Version remains at 0.1.1. - No file changes or documentation updates were made.
v0.1.1
Launch batch: CacheForge skills wave 1
Metadata
Slug vibe-check
Version 0.2.1
License
All-time Installs 5
Active Installs 5
Total Versions 7
Frequently Asked Questions

What is vibe-check?

Audit code for "vibe coding sins" — patterns that indicate AI-generated code was accepted without proper review. Produces a scored report card with fix sugge... It is an AI Agent Skill for Claude Code / OpenClaw, with 800 downloads so far.

How do I install vibe-check?

Run "/install vibe-check" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is vibe-check free?

Yes, vibe-check is completely free (open-source). You can download, install and use it at no cost.

Which platforms does vibe-check support?

vibe-check is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created vibe-check?

It is built and maintained by Todd Kuehnl (@tkuehnl); the current version is v0.2.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments