Summary
Feature release that gives vibekit its first security awareness. Adds a new 16th skill, security-review — an optional, threat-model-driven gate that reviews the code a vibe run produced before it can reach finish-branch. Until now the pipeline had no security step anywhere; review-pack even explicitly disclaims security ("correctness, security, and performance belong to the other passes"), leaving it an orphaned concern. This release fills that gap.
The threat taxonomy is distilled from NVIDIA's SkillSpector, but the skill ships as a self-contained prose prompt with zero external dependency — no CLI, Python, YARA, or network calls — so it stays portable across all five runtimes (Claude Code, Codex, Gemini, Pi, OpenCode).
Highlights
- New
security-reviewskill — a tiered security pass over the vibe run's diff, quoting verbatimfile:lineevidence, scoring findings, and hard-gating on CRITICAL/HIGH with a written-waiver escape. - Optional, symmetric with
review-pack— offered invibe's final message afterverify-gatereturnsready. It is not a new pipeline stage: the 7-stagevibepipeline is unchanged, and a user may runsecurity-review,review-pack, both, or neither beforefinish-branch. - Tiered threat model — universal code-security on every diff, plus AI-artifact-specific checks that activate only when the diff builds a skill/agent/prompt/MCP server, so ordinary application code doesn't get noise from prompt-injection or MCP checks.
- Self-contained — no external tooling; a behavior-shaping prompt like the other skills, delivered by all five runtime adapters from one canonical
SKILL.md.
What's new: security-review
Detection engine — inline staged-checklist reasoning (no subagent dispatch, no maintained regex library, never executes the reviewed code):
- Auto-skip check — diffs touching only docs/tests/non-executable config get
no security surface — skipped, verdictclear, no gate. The definition is deliberately conservative: a file carrying agent-followable natural-language instructions (even an ordinary-looking.md) is not skip-eligible. When in doubt, it does not skip. - Artifact classification — decides whether Tier 2 activates (a
SKILL.md, prompt/agent definition, MCP server viaregisterTool/@modelcontextprotocol, or anything underskills/,prompts/,agents/). - Grep-first recall sweep — scans for high-signal tokens (
eval(,exec(,subprocess,os.system,curl | bash,os.environ,base64.b64decode,getattr(os,, hardcoded-credential patterns) as candidates to adjudicate. - Walk active categories — each finding backed by a verbatim
file:linequote, or it doesn't count. - Score — CRITICAL +50 / HIGH +25 / MEDIUM +10 / LOW +5, ×1.3 for executable scripts, mapped to a
SAFE | CAUTION | DO_NOT_INSTALLband (informational). - Gate — any CRITICAL or HIGH finding ⇒ verdict
blocked(independent of the aggregate score);finish-branchis unavailable until the userfixes orwaives with a written reason.
Threat coverage (16 categories, 2 tiers):
- Tier 1 — universal (every diff): dangerous code / AST, taint source→sink, data exfiltration, privilege escalation, supply chain, tool misuse, output handling, hardcoded secrets.
- Tier 2 — AI-artifact-specific (skill/agent/prompt/MCP only): prompt injection, anti-refusal, system-prompt leakage, memory poisoning, rogue agent, trigger abuse, MCP least-privilege, MCP tool-poisoning.
Output — a report at docs/security/YYYY-MM-DD-<feature>-security.md with classification, severity-grouped findings, score, verdict, and waiver record.
Validated — a behavioral static eval passed 4/4: benign code → clear; subprocess(shell=True) on request input → CRITICAL taint, blocked; an injected SKILL.md ("ignore all previous instructions" + SSH-key read) → Tier 2 prompt-injection, blocked; a docs-only diff → auto-skipped.
Consistency & tooling
- Skill count 15 → 16 across
AGENTS.md,CLAUDE.md,README.md, and.pi-plugin/INSTALL.md— this also corrects pre-existing count drift (some files still said 14/15 in both digit and word form). vibekit-doctornow expects the newdocs/security/output directory (C4 subdir check +--fixremediation table).package.jsonfilesallow-list now shipsskills/security-review/(the npm publish whitelist is explicit, unlike the dir-glob plugin manifests) — caught and fixed by thecheck:packCI guard.- Plugin manifests were not touched: all four use
"skills": "./skills/"dir-glob auto-discovery, so a new skill needs no per-manifest edit.
Upgrade notes
- No breaking changes and no behavior change to any existing skill. The 7-stage
vibepipeline is identical;security-reviewis purely additive and opt-in. - To use it after a vibe run reaches
verify-gate: ready, pick the security-review option invibe's final message, or invoke the skill on the current diff standalone. - Scope / limits:
security-reviewreviews the current run's diff — it is not a general third-party scanner (that's SkillSpector's job) and does not sandbox; classification and detection are heuristic, so a novel MCP/agent framework could be misclassified. Treat it as a first-line gate, not a guarantee.
Full changelog: v0.5.1...v0.5.2