vibelink-push

[Skill Scanner] Credential file access detected This skill's stated purpose (package and upload a project to vibelink.to) matches its capabilities and the described file/network operations. I find no evidence of obfuscation or intentionally malicious behavior in the instructions: uploads go directly to vibelink.to, tokens are handled locally, and files to read/write are narrowly scoped. However, there are legitimate security risks to be aware of: accidental inclusion of secrets in the zip, running arbitrary dev-server scripts from package.json without strong user confirmation, and storing author tokens in plaintext under ~/.vibelink-tokens. These risks are operational and privacy/security concerns but do not indicate malware in the skill itself. Recommend enforcing explicit user confirmation before starting servers or uploading, verifying excludes are correct, and advising users to protect ~/.vibelink-tokens (permissions, optional encryption). LLM verification: This skill's documented behavior is coherent with a project-sharing utility that packages and uploads a repository to vibelink.to and saves a returned author token locally. I find no direct indicators of intentionally malicious code (no obfuscation, no hardcoded secrets, no hidden network relays). However, the feature set enables sensitive data exfiltration (uploads entire repos) and executes arbitrary local project scripts when starting dev servers — both legitimate for this tool but high-risk