vibe-check
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is built around executing the
vibiumCLI tool to perform browser automation. It includes logic for the agent to resolve the binary path across global and local environments, including./clicker/bin/vibiumand./node_modules/.bin/vibium. - [PROMPT_INJECTION]: As a browser automation utility, the skill is subject to indirect prompt injection (Category 8) from untrusted web content.
- Ingestion points: The agent ingests external data through commands like
vibium go,vibium text,vibium html, andvibium map(SKILL.md). - Boundary markers: The skill does not define specific delimiters or "ignore instructions" prompts for processed web data.
- Capability inventory: The agent has the ability to click elements, fill forms, execute arbitrary JavaScript in the browser (
eval), and manage sensitive session data (cookies,storage) (SKILL.md). - Sanitization: No explicit sanitization of web content is performed by the skill instructions.
- [SAFE]: The
vibiumbinary and its associated ecosystem are resources belonging to the vendor, VibiumDev. The features described, including browser state management and script execution, are standard for the tool's primary purpose of automation.
Audit Metadata