vibes

This module primarily performs UI bootstrapping, local persistence, and optional WebSocket-driven synchronization. It does not show clear malicious payload behavior, but it presents meaningful security concerns: an OIDC access token is placed into the WebSocket URL query string (increasing token leakage risk) and authentication UI code is loaded at runtime via dynamic import from '/oidc-bridge.js' and exposed on window globals (increasing supply-chain/hosting integrity risk). Treat it as moderate risk and ensure the token handling and OIDC bridge loading/integrity are tightly controlled.

SUSPICIOUS: the skill is broadly aligned with its stated purpose as an app generator/deployer, but it carries medium risk because it executes repo-local Bun scripts, forwards an AI API key into an opaque deploy wrapper, performs silent token checks, and chains into other skills. No clear evidence of malicious intent or overt credential theft is shown, but the hidden implementation behind local scripts and transitive skill handoffs warrants caution.