Security Audit
mike-coulbourn/claude-vibes:plugins/vibes/skills/agent-builder
github.com/mike-coulbourn/claude-vibesTrust Assessment
mike-coulbourn/claude-vibes:plugins/vibes/skills/agent-builder received a trust score of 0/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 6 critical, 8 high, 0 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: AI agent config, Skill instructs on configuring agents with full shell access and broad command execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 22, 2026 (commit b6e9c9a1). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/vibes/skills/agent-builder/SKILL.md:26 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/vibes/skills/agent-builder/SKILL.md:81 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/vibes/skills/agent-builder/SKILL.md:96 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/vibes/skills/agent-builder/SKILL.md:107 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/vibes/skills/agent-builder/SKILL.md:108 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | plugins/vibes/skills/agent-builder/SKILL.md:441 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/vibes/skills/agent-builder/SKILL.md:26 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/vibes/skills/agent-builder/SKILL.md:81 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/vibes/skills/agent-builder/SKILL.md:96 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/vibes/skills/agent-builder/SKILL.md:107 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/vibes/skills/agent-builder/SKILL.md:108 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | plugins/vibes/skills/agent-builder/SKILL.md:441 | |
| HIGH | Skill instructs on configuring agents with full shell access and broad command execution The `SKILL.md` provides explicit instructions and examples for configuring custom agents with `tools: Bash` (full shell access) and broad `Bash` tool patterns (e.g., `Bash(git:*)`, `Bash(npm:*)`). It also mentions `permissionMode: bypassPermissions`. While the guide includes warnings about using these sparingly and carefully, it still provides the explicit steps to enable these highly privileged settings. An agent configured this way could be vulnerable to command injection if its system prompt or subsequent interactions are compromised, leading to arbitrary code execution on the host system. Strongly discourage the use of `tools: Bash` and `permissionMode: bypassPermissions` for general agent creation. If these options must be included, move them to an 'Advanced/Expert Use Only' section with prominent, explicit warnings about the severe security implications. Recommend that agents requiring such broad access be run in highly isolated and sandboxed environments. Emphasize the principle of least privilege: agents should only be granted the absolute minimum tools required for their specific task. | LLM | SKILL.md:40 | |
| HIGH | Skill instructs on configuring agents with file read and shell access, enabling potential data exfiltration The `SKILL.md` guides users on creating agents that can be configured with `Read` tool access and `Bash` (full shell access), potentially combined with `permissionMode: bypassPermissions`. If an agent configured with these permissions is compromised via prompt injection, it could be instructed to read and exfiltrate sensitive files from the host system, including configuration files, credentials, or personal data from the user's home directory (e.g., `~/.claude/agents/`, `~/.ssh`, `~/.aws`). Strongly discourage the use of `tools: Bash` and `permissionMode: bypassPermissions`. For `Read` access, advise users to restrict the scope of files an agent can read if possible, and to be extremely cautious when granting `Read` access to agents that might process untrusted input. Reinforce the principle of least privilege for all tool access. | LLM | SKILL.md:34 |
Scan History
Embed Code
[](https://skillshield.io/report/cc2993cd252112b8)
Powered by SkillShield