Run Claude Code, Gemini, Codex — or any coding agent — in a clean, isolated sandbox with sensitive data redaction and observability baked in.
# Add to your Claude Code skills
git clone https://github.com/superagent-ai/vibekitLast scanned: 4/26/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@aws-sdk/client-s3: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/client-sso: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/core: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/credential-provider-env: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/credential-provider-http: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/credential-provider-ini: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/credential-provider-node: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/credential-provider-process: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/credential-provider-sso: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/credential-provider-web-identity: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/middleware-flexible-checksums: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/middleware-sdk-s3: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/middleware-user-agent: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/nested-clients: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/signature-v4-multi-region: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/token-providers: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/util-user-agent-node: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@aws-sdk/xml-builder: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@blaxel/core: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@dagger.io/dagger: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@daytonaio/sdk: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@google-cloud/dlp: Vulnerability found",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "@modelcontextprotocol/sdk: Anthropic's MCP TypeScript SDK has a ReDoS vulnerability",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@opentelemetry/exporter-jaeger: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@smithy/config-resolver: AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value",
"severity": "low"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "axios: Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",
"severity": "high"
},
{
"type": "npm-audit",
"message": "body-parser: body-parser is vulnerable to denial of service when url encoding is used",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "defu: defu: Prototype pollution via `__proto__` key in defaults argument",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-xml-parser: fast-xml-parser has RangeError DoS Numeric Entities Bug",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "glob: glob CLI: Command injection via -c/--cmd executes matches with shell:true",
"severity": "high"
},
{
"type": "npm-audit",
"message": "google-gax: Vulnerability found",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "jaeger-client: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "js-yaml: js-yaml has prototype pollution in merge (<<)",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "jws: auth0/node-jws Improperly Verifies HMAC Signature",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash-es: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "markdown-it: markdown-it is has a Regular Expression Denial of Service (ReDoS)",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "miniflare: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "modal: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "next: Next.js is vulnerable to RCE in React flight protocol",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "node-forge: node-forge has ASN.1 Unbounded Recursion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "protobufjs: protobufjs Prototype Pollution vulnerability",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in comma parsing allows denial of service",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "redact-pii: Vulnerability found",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "rollup: Rollup 4 has Arbitrary File Write via Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "smol-toml: smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "underscore: Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"severity": "high"
},
{
"type": "npm-audit",
"message": "undici: Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vibekit-proxy: Vulnerability found",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "wrangler: Wrangler affected by OS Command Injection in `wrangler pages deploy`",
"severity": "high"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "FAILED",
"scannedAt": "2026-04-26T06:07:52.810Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}vibekit is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by superagent-ai. Run Claude Code, Gemini, Codex — or any coding agent — in a clean, isolated sandbox with sensitive data redaction and observability baked in. It has 1,819 GitHub stars.
vibekit failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/superagent-ai/vibekit" and add it to your Claude Code skills directory (see the Installation section above).
vibekit is primarily written in TypeScript. It is open-source under superagent-ai on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh vibekit against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
Run Claude Code, Gemini, Codex — or any coding agent — in a clean, isolated sandbox with sensitive data redaction and observability baked in.
Install the VibeKit CLI globally:
npm install -g vibekit
Run claude code with enhanced security and tracking
vibekit claude
🐳 Local sandbox - Runs agent output in isolated Docker containers — zero risk to your local setup
🔒 Built-in redaction - Auto-removes secrets, api keys, and other sensitive data completions
📊 Observability - Complete visibility into agent operations with real-time logs, traces, and metrics
🌐 Universal agent support - Works with Claude Code, Gemini CLI, Grok CLI, Codex CLI, OpenCode, and more
💻 Works offline & locally - No cloud dependencies or internet required — works entirely on your machine
Looking to integrate VibeKit into your application? Check out these packages:
Run coding agents in secure sandboxes with full control and monitoring.
npm install @vibe-kit/sdk
Perfect for building applications that need to execute AI-generated code safely.
Use your MAX subscriptions in AI Apps.
npm install @vibe-kit/auth
Handle authentication flows for your VibeKit-powered applications.
Contributions welcome! Open an issue, start a discussion, or submit a pull request.
MIT — see LICENSE for details.
© 2025 Superagent Technologies Inc.