vibe-review
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes command-line tools such as
gitandghto perform repository cloning and fetch metadata for pull requests. These operations are conducted within the restricted parameters defined in theallowed-toolsconfiguration and are fundamental to the skill's purpose as a code reviewer. - [EXTERNAL_DOWNLOADS]: The skill is designed to clone external source code from well-known version control platforms, including GitHub, GitLab, Gitee, and GitCode. These operations use the
git clonecommand and target temporary directories (/tmp/vibe-review-*) for analysis, which is standard practice for this type of developer tool. - [DYNAMIC_CONTEXT_INJECTION]: The
SKILL.mdfile contains shell command substitution patterns (!git remote -vand!pwd) to automatically identify the current project environment when the skill is loaded. These commands are benign and serve only to establish context for the code review. - [FALSE_POSITIVE]: Static analysis heuristic flags for the
evalandexeckeywords inSKILL.mdwere identified as false positives. These terms appear within the text of the coding standards documentation (e.g., instructions to the agent to check for injection vulnerabilities in Python code) and are not part of any executable script or malicious logic within the skill itself. - [SAFE]: No evidence of data exfiltration, privilege escalation, or persistence was found. The skill follows best practices for developer tools, including the use of temporary directories and restricted tool access.
Audit Metadata