VibeShift
Verified Safeby GroundNG
Overview
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
Installation
mcp dev mcp_server.pyEnvironment Variables
- LLM_API_KEY
- LLM_BASE_URL
- LLM_API_VERSION
- LLM_MODEL
- LLM_TIMEOUT
Security Notes
The system utilizes subprocess.run to execute external security tools (Semgrep, Nuclei, ZAP), which is a controlled but inherent risk. Input validation and command quoting (shlex.quote) are used to mitigate injection risks. Playwright's page.evaluate is used to inject JavaScript for DOM manipulation and event listening (e.g., click overrides, UI panel), which is standard practice for browser automation but means injected JS code runs in the browser context. LLM API keys are loaded via environment variables, not hardcoded, which is good practice. The auth_state.json feature saves user credentials to disk, which is a potential local information disclosure risk if the file is not adequately secured, though user-initiated.
Similar Servers
flowlens-mcp-server
Provides rich browser context (user actions, network, console, storage, DOM, screen recording) to coding agents for in-depth debugging and automated regression testing of web applications.
rocketship
This MCP server acts as a knowledgeable assistant for AI coding agents, providing guidance, examples, and introspection data for writing Rocketship tests, rather than directly generating test files.
mcp-pentest
An AI-driven middleware to orchestrate and manage penetration testing tools and engagements.
mcp-zap-server
Exposes OWASP ZAP actions as Model Context Protocol (MCP) tools, enabling AI agents (e.g., Claude Desktop, Cursor) to orchestrate security scanning operations, import OpenAPI specs, and generate reports.