vibekanban
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill configuration explicitly enables high-risk execution modes for AI agents, such as
--dangerously-skip-permissionsand--yoloby default. This design choice allows agents to perform autonomous system-level actions without requiring user approval or manual verification. - [EXTERNAL_DOWNLOADS]: The primary execution and installation method is
npx vibe-kanban, which dynamically retrieves and runs code from the npm registry. This introduces a dependency on the integrity of the remote package and registry security. - [DATA_EXFILTRATION]: Features a 'Remote Access' system where a local host machine can be paired with https://cloud.vibekanban.com using pairing codes. This facilitates remote interaction with local workspaces, which could potentially expose local development environments to a third-party cloud service.
- [DATA_EXFILTRATION]: The tool automates the copying of sensitive files, such as
.envfiles, from the main project into isolated git worktrees. The ability to disable automatic cleanup via theDISABLE_WORKTREE_CLEANUPenvironment variable increases the risk that these secrets may persist on the filesystem. - [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection.
- Ingestion points: Data is read from external repositories and GitHub/Azure DevOps pull requests (references/workspaces.md, references/core-features.md).
- Boundary markers: No specific delimiters or safety instructions are mentioned for isolating or sanitizing untrusted data.
- Capability inventory: Agents have access to the shell, file system, and various project management tools via the Model Context Protocol (references/integrations.md).
- Sanitization: No documented process exists for sanitizing external inputs before they are processed by the AI agents.
Audit Metadata