Skills
skills/akillness/skills-template/vibe-kanban/Gen Agent Trust Hub

vibe-kanban

Warn

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill documentation and 'scripts/start.sh' utilize 'npx vibe-kanban' to fetch and execute application code directly from the public NPM registry at runtime. This source is not included in the trusted vendors list, and the execution of unversioned remote code poses a significant supply chain risk.
  • [COMMAND_EXECUTION]: Several shell scripts are included ('scripts/start.sh', 'scripts/cleanup.sh', 'scripts/mcp-setup.sh') that perform sensitive operations. Specifically, 'scripts/mcp-setup.sh' modifies the configuration files of other AI agents (Claude and Codex) located in the user's home directory ('/.claude/claude_desktop_config.json' and '/.codex/config.toml') to register the 'vibe-kanban' MCP server. The 'scripts/cleanup.sh' script executes 'git worktree remove --force' on paths matched by specific naming patterns.
  • [DATA_EXFILTRATION]: The skill is designed to handle multiple sensitive API keys (Anthropic, OpenAI, Google) and GitHub tokens. It supports a 'VIBE_KANBAN_REMOTE' mode which, if enabled without strict 'VK_ALLOWED_ORIGINS' configuration, could expose these credentials or the local codebase to the network. The application also references a remote endpoint 'https://api.vibekanban.com'.
  • [PROMPT_INJECTION]: The skill has a large attack surface for indirect prompt injection because it processes external repository content and user-supplied task descriptions to drive other AI agents.
  • Ingestion points: Task descriptions in 'SKILL.md' and workspace repository files.
  • Boundary markers: There are no identified delimiters or instructions in the provided scripts to prevent the underlying agents (Claude, Codex, etc.) from following instructions embedded in the processed data.
  • Capability inventory: The skill has access to 'Bash', 'Write', and 'git' tools, allowing it to modify the local file system and execute shell commands via the agents it manages.
  • Sanitization: No evidence of input validation or escaping was found in the scripts that handle task data or repository paths.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 7, 2026, 02:45 PM