VibeShift
Verified Safeby GroundNG
Overview
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
Installation
mcp dev mcp_server.pyEnvironment Variables
- LLM_API_KEY
- LLM_BASE_URL
- LLM_API_VERSION
- LLM_MODEL
- LLM_TIMEOUT
Security Notes
The system utilizes subprocess.run to execute external security tools (Semgrep, Nuclei, ZAP), which is a controlled but inherent risk. Input validation and command quoting (shlex.quote) are used to mitigate injection risks. Playwright's page.evaluate is used to inject JavaScript for DOM manipulation and event listening (e.g., click overrides, UI panel), which is standard practice for browser automation but means injected JS code runs in the browser context. LLM API keys are loaded via environment variables, not hardcoded, which is good practice. The auth_state.json feature saves user credentials to disk, which is a potential local information disclosure risk if the file is not adequately secured, though user-initiated.
Similar Servers
burp-mcp-agents
Connects Burp Suite MCP Server to AI backends (Codex, Gemini, Ollama, LM Studio) for assisted, non-destructive vulnerability analysis using real Burp traffic.
flowlens-mcp-server
Provides coding agents with full browser context from recorded user flows for debugging and regression testing.
pentestMCP
This MCP server enables AI agents to perform automated and interactive penetration testing tasks by exposing a suite of security assessment utilities as callable tools.
mcp-zap-server
Orchestrates OWASP ZAP security scanning actions (spider, active scan, OpenAPI import, reporting) via the Model Context Protocol, enabling AI agents like Claude Desktop or Cursor to perform security testing.