Trust Assessment
vibetunnel received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 2 high, 1 medium, and 0 low severity. Key findings include Arbitrary Command Execution via VibeTunnel API, Excessive Permissions due to Arbitrary Command Execution Capability, Potential Data Exfiltration via Configurable Endpoint (VT_URL).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via VibeTunnel API The 'Create Session' functionality of the VibeTunnel skill allows specifying an arbitrary 'command' array (e.g., `["zsh", "-l", "-i"]`) that will be executed by the VibeTunnel service. If the AI agent constructs this 'command' array using untrusted user input, it creates a direct path for arbitrary command injection on the host where the VibeTunnel service is running. An attacker could exploit this to execute malicious code, access sensitive data, or disrupt the system. Implement strict validation and sanitization of user-provided commands before passing them to the VibeTunnel API. Consider using a whitelist of allowed commands and arguments, or ensure that user input is never directly interpolated into the 'command' array without proper escaping and validation. The VibeTunnel service itself should also enforce robust security measures. | LLM | SKILL.md:24 | |
| HIGH | Excessive Permissions due to Arbitrary Command Execution Capability The VibeTunnel skill, by design, exposes the ability to create terminal sessions and execute arbitrary commands with specified working directories on the host system. This grants the AI agent broad permissions equivalent to the VibeTunnel service process. If the agent is compromised or misused, this capability can be exploited for system compromise, unauthorized data access, or privilege escalation. Restrict the types of commands and working directories that the AI agent can request through the VibeTunnel API. Implement a robust access control mechanism for the VibeTunnel service itself, and ensure the service runs with the principle of least privilege. Limit the agent's ability to construct arbitrary commands from untrusted input. | LLM | SKILL.md:24 | |
| HIGH | Potential Data Exfiltration via Configurable Endpoint (VT_URL) The skill uses the `VT_URL` environment variable to determine the VibeTunnel server endpoint. If this environment variable is maliciously configured to point to an untrusted external server, all data sent by the skill (including session creation details, commands, working directories, and input) could be exfiltrated to that server. This poses a significant data exfiltration risk if the environment is compromised or the variable is manipulated. Implement strict validation or whitelisting for the `VT_URL` environment variable, ensuring it only points to trusted, internal endpoints. Alert users if `VT_URL` is set to an unusual or external address. Consider using a more secure method for configuring service endpoints that is less susceptible to environment variable manipulation. | LLM | SKILL.md:18 | |
| MEDIUM | Unpinned Dependency in Manifest The `vibetunnel` package dependency is not pinned to a specific version in the skill's manifest. This means that installing the skill could pull in any future version of the `vibetunnel` package, including potentially malicious or vulnerable versions, without explicit review. This introduces a supply chain risk. Pin the `vibetunnel` package dependency to a specific, known-good version (e.g., `"package": "vibetunnel@1.2.3"`) in the manifest to ensure deterministic and secure installations. Regularly review and update the pinned version. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/796cd41d08bc0a8b)
Powered by SkillShield