vibe-check

Audit code for "vibe coding sins" — patterns that indicate AI-generated code was accepted without proper review. Produces a scored report card with fix sugge...

This skill is internally consistent with its purpose: it reads your repo, runs local heuristics, and — if you configure ANTHROPIC_API_KEY or OPENAI_API_KEY — sends file contents to those third-party LLM endpoints for richer analysis. Before installing/using it, consider: 1) Do not set an LLM API key if you are scanning sensitive repos (secrets, proprietary code) — you can run it in heuristic mode by unsetting those env vars. 2) The tool only emits unified-diff suggestions and does not auto-apply them, but you should manually review any suggested fixes before applying. 3) Confirm you are comfortable with the agent being allowed to run the supplied scripts (they read files and may call network endpoints). 4) Note minor metadata inconsistencies (declared env vars absent from registry metadata; SKILL.md version differs from registry version) — these are not malicious but worth verifying with the publisher if you need strong provenance. If you need more assurance, inspect the included scripts locally and run them in a controlled environment (sandbox or test repo) with LLM keys unset.

Type: OpenClaw Skill Name: vibe-check Version: 0.2.1 The OpenClaw AgentSkills 'vibe-check' skill is a code auditing tool designed to identify 'vibe coding sins' and security vulnerabilities in user-provided code. The skill's scripts (`vibe-check.sh`, `analyze.sh`, `report.sh`, `git-diff.sh`, `common.sh`) demonstrate robust shell scripting practices, including `set -euo pipefail`, proper quoting of variables, and safe path resolution. Crucially, `analyze.sh` uses `python3 -c "import json, sys; print(json.dumps(prompt))"` to safely JSON-escape file content before sending it to LLM APIs, mitigating prompt injection risks from the analyzed code. The `SECURITY.md` and `README.md` clearly state the skill's read-only nature, human-in-the-loop fix suggestions, and transparently disclose network behavior (sending code to LLMs). The `test_samples/bad_api.py` file, while containing severe vulnerabilities like RCE via `eval()` and SQL injection, is a test case for the skill's detection capabilities and is not executed by the skill itself. There is no evidence of intentional harmful behavior or self-exploitation.