vibe-coding

SUSPICIOUS. Most capabilities fit the stated worktree/commit/preview purpose, but trust is weakened by undocumented third-party ngrok/Bun requirements, arbitrary preview command execution from repo config, and use of a custom unverified default domain. I do not see clear credential harvesting or overtly malicious behavior, but the install/data-flow picture is incomplete enough to rate this as medium risk rather than benign.