Skip to content

v0.5.2

Latest

Choose a tag to compare

@rizukirr rizukirr released this 11 Jul 14:51

Summary

Feature release that gives vibekit its first security awareness. Adds a new 16th skill, security-review — an optional, threat-model-driven gate that reviews the code a vibe run produced before it can reach finish-branch. Until now the pipeline had no security step anywhere; review-pack even explicitly disclaims security ("correctness, security, and performance belong to the other passes"), leaving it an orphaned concern. This release fills that gap.

The threat taxonomy is distilled from NVIDIA's SkillSpector, but the skill ships as a self-contained prose prompt with zero external dependency — no CLI, Python, YARA, or network calls — so it stays portable across all five runtimes (Claude Code, Codex, Gemini, Pi, OpenCode).

Highlights

  • New security-review skill — a tiered security pass over the vibe run's diff, quoting verbatim file:line evidence, scoring findings, and hard-gating on CRITICAL/HIGH with a written-waiver escape.
  • Optional, symmetric with review-pack — offered in vibe's final message after verify-gate returns ready. It is not a new pipeline stage: the 7-stage vibe pipeline is unchanged, and a user may run security-review, review-pack, both, or neither before finish-branch.
  • Tiered threat model — universal code-security on every diff, plus AI-artifact-specific checks that activate only when the diff builds a skill/agent/prompt/MCP server, so ordinary application code doesn't get noise from prompt-injection or MCP checks.
  • Self-contained — no external tooling; a behavior-shaping prompt like the other skills, delivered by all five runtime adapters from one canonical SKILL.md.

What's new: security-review

Detection engine — inline staged-checklist reasoning (no subagent dispatch, no maintained regex library, never executes the reviewed code):

  1. Auto-skip check — diffs touching only docs/tests/non-executable config get no security surface — skipped, verdict clear, no gate. The definition is deliberately conservative: a file carrying agent-followable natural-language instructions (even an ordinary-looking .md) is not skip-eligible. When in doubt, it does not skip.
  2. Artifact classification — decides whether Tier 2 activates (a SKILL.md, prompt/agent definition, MCP server via registerTool / @modelcontextprotocol, or anything under skills/, prompts/, agents/).
  3. Grep-first recall sweep — scans for high-signal tokens (eval(, exec(, subprocess, os.system, curl | bash, os.environ, base64.b64decode, getattr(os,, hardcoded-credential patterns) as candidates to adjudicate.
  4. Walk active categories — each finding backed by a verbatim file:line quote, or it doesn't count.
  5. Score — CRITICAL +50 / HIGH +25 / MEDIUM +10 / LOW +5, ×1.3 for executable scripts, mapped to a SAFE | CAUTION | DO_NOT_INSTALL band (informational).
  6. Gate — any CRITICAL or HIGH finding ⇒ verdict blocked (independent of the aggregate score); finish-branch is unavailable until the user fixes or waives with a written reason.

Threat coverage (16 categories, 2 tiers):

  • Tier 1 — universal (every diff): dangerous code / AST, taint source→sink, data exfiltration, privilege escalation, supply chain, tool misuse, output handling, hardcoded secrets.
  • Tier 2 — AI-artifact-specific (skill/agent/prompt/MCP only): prompt injection, anti-refusal, system-prompt leakage, memory poisoning, rogue agent, trigger abuse, MCP least-privilege, MCP tool-poisoning.

Output — a report at docs/security/YYYY-MM-DD-<feature>-security.md with classification, severity-grouped findings, score, verdict, and waiver record.

Validated — a behavioral static eval passed 4/4: benign code → clear; subprocess(shell=True) on request input → CRITICAL taint, blocked; an injected SKILL.md ("ignore all previous instructions" + SSH-key read) → Tier 2 prompt-injection, blocked; a docs-only diff → auto-skipped.

Consistency & tooling

  • Skill count 15 → 16 across AGENTS.md, CLAUDE.md, README.md, and .pi-plugin/INSTALL.md — this also corrects pre-existing count drift (some files still said 14/15 in both digit and word form).
  • vibekit-doctor now expects the new docs/security/ output directory (C4 subdir check + --fix remediation table).
  • package.json files allow-list now ships skills/security-review/ (the npm publish whitelist is explicit, unlike the dir-glob plugin manifests) — caught and fixed by the check:pack CI guard.
  • Plugin manifests were not touched: all four use "skills": "./skills/" dir-glob auto-discovery, so a new skill needs no per-manifest edit.

Upgrade notes

  • No breaking changes and no behavior change to any existing skill. The 7-stage vibe pipeline is identical; security-review is purely additive and opt-in.
  • To use it after a vibe run reaches verify-gate: ready, pick the security-review option in vibe's final message, or invoke the skill on the current diff standalone.
  • Scope / limits: security-review reviews the current run's diff — it is not a general third-party scanner (that's SkillSpector's job) and does not sandbox; classification and detection are heuristic, so a novel MCP/agent framework could be misclassified. Treat it as a first-line gate, not a guarantee.

Full changelog: v0.5.1...v0.5.2