← 返回 Skills 市场

VibeSafe Starter — Minimum Security for Vibe Coders

Name: VibeSafe Starter — Minimum Security for Vibe Coders
Author: nerua1

作者 nerua1 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install nerua1-vibe-safe-starter

功能描述

Provides a minimal, zero-config security starter pack for Vibe coders to detect known vulnerabilities, unmaintained packages, and credential leaks before ins...

使用说明 (SKILL.md)

VibeSafe Starter — Your First Security Pack

3 files. 2 minutes. No more "it works on my machine" disasters.

You vibe-code with AI agents. Cool. But here's what AI won't tell you: 67% of npm packages used in AI-generated projects have known vulnerabilities. The AI doesn't check. It just imports.

This starter pack catches the obvious stuff before it catches you.

What You're Risking (Right Now)

Every time an AI agent writes npm install or pip install without checking:

Risk	Reality
Known CVEs	Public vulnerabilities that attackers already exploit
Abandoned packages	Last updated in 2022. No fixes coming.
Credential leaks	`.env` files committed to git. API keys in code.
Supply chain attacks	Malicious packages that look legitimate
Unmaintained dependencies	47% of npm packages have no active maintainer

One vulnerable dependency → your entire project is compromised.

The Fix (3 Files)

1. `.github/workflows/security.yml`

Drop this into any repo. Runs on every push.

2. `audit.sh`

Run before npm install. Catches critical CVEs.

3. `checklib.sh`

Check a library before adding it to your project.

Quick Start

# Clone into your project
git clone https://github.com/nerua1/vibe-safe-starter.git
cp vibe-safe-starter/.github/workflows/security.yml .github/workflows/
cp vibe-safe-starter/audit.sh .
cp vibe-safe-starter/checklib.sh .
chmod +x audit.sh checklib.sh

# Check a library before installing
./checklib.sh react
./checklib.sh flask

# Audit your dependencies
./audit.sh

The Numbers

67% of AI-suggested npm packages have known vulnerabilities
47% of npm packages are unmaintained
1 in 10 GitHub repos leak credentials
Average CVE goes undetected for 208 days before disclosure

Your AI agent will happily install all of them. This pack won't.

Extend It

This is the minimum. If you want more:

Need	Solution
VS Code integration	VibeSafe Extension
AI-powered risk explanation	VibeSafe AI Explain
Multi-agent HARNESS	VibeSafe HARNESS §14
Full audit pipeline	VibeSafe Full
Dashboard	`vibe-safe/tools/dashboard.py --html`

Philosophy

80/20 rule: Catch 80% of risks with 20% of effort
Non-blocking: Suggests, doesn't block your flow
Zero config: Drop in, works immediately
Minimal: 3 files. No frameworks. No databases.

Built by nerua1. ⭐ Star if this saves you from a security incident.

☕ PayPal.me/nerudek

安全使用建议

Before installing, inspect the GitHub Actions workflow in the referenced repository and pin it to a trusted commit. The included shell scripts appear aligned with dependency and secret checking, but run them only in repositories you intend to scan and treat any secret findings as sensitive.

功能分析

Type: OpenClaw Skill Name: nerua1-vibe-safe-starter Version: 1.0.0 The bundle provides legitimate security utility scripts (audit.sh and checklib.sh) designed to identify vulnerabilities in npm and Python dependencies. It uses standard tools like npm audit, pip-audit, and the OSV.dev API to check for CVEs and scans local files for hardcoded secrets using basic regex patterns. No evidence of data exfiltration, malicious persistence, or prompt injection was found.

能力标签

cryptorequires-walletrequires-sensitive-credentials

能力评估

ℹ Purpose & Capability

The stated security-audit purpose matches the included audit.sh and checklib.sh scripts. However, the documentation advertises a third workflow file that is not present in the reviewed manifest.

ℹ Instruction Scope

The instructions are user-directed and do not contain agent goal overrides. The scripts do perform network lookups, dependency-audit commands, and repository scanning as part of the security-checking workflow.

⚠ Install Mechanism

There is no install spec, and the Quick Start instead instructs an unpinned git clone from GitHub and copying a .github/workflows/security.yml file that is not included in the reviewed artifacts.

ℹ Credentials

The scripts read the selected project, query public package/security APIs, and may update dependency lockfile state; this is broadly proportionate to dependency and secret scanning but should be run only in intended repositories.

⚠ Persistence & Privilege

The missing GitHub Actions workflow is described as running on every push, creating persistent CI automation whose reviewed content and permissions are not visible in the supplied artifacts.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install nerua1-vibe-safe-starter
安装完成后，直接呼叫该 Skill 的名称或使用 /nerua1-vibe-safe-starter 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

VibeSafe Starter 1.0.0 — Initial Release - Provides a lightweight, zero-config security starter pack for AI-generated code projects. - Includes GitHub Actions workflow, dependency audit script, and package vetting script. - Helps catch common risks: known CVEs, abandoned or unmaintained packages, credential leaks, and supply chain attacks. - Quick setup: just copy three files into any repo to enable basic security checks on push and before installing dependencies. - Designed for maximum impact with minimal setup—no frameworks or databases required.

元数据

Slug nerua1-vibe-safe-starter

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题