← Back

Security & Privacy

Everything the probe does, and everything it doesn't.

Scanner Inventory

The probe runs 11 scanners in parallel. Each is a single TypeScript file you can read in full:

  • deploy.tsCI/CD configs, deploy targets, Netlify/Vercel/Docker
  • environment.tsAPI key names in .env (never values), shell aliases, model providers
  • git-history.tsCommit frequency, co-author patterns, branch metadata
  • mcp.tsMCP server configs in Claude Desktop, VS Code, Cursor
  • memory.tsCLAUDE.md, rules files, context/memory system presence
  • orchestration.tsSubagents, hooks, tmux/worktree workflows, task runners
  • repositories.tsMonorepo tooling, npm workspaces, package.json scripts
  • security.ts.gitignore coverage, env handling, agent permission boundaries
  • social.tsPublic repos, npm packages, webhook integrations
  • universal-file.tsConfig-driven multi-artifact scanner (~70 checks across project/global scope)
  • workspace.tsIDE settings, extensions, editor integrations

Sample Output

Run npx vibecheck-score --json to see your full output. Here's a truncated example:

{
  "version": "0.4.1",
  "timestamp": "2026-02-18T12:00:00.000Z",
  "platform": "darwin",
  "detections": [
    {
      "id": "mcp-github",
      "category": "tooling",
      "name": "MCP: GitHub",
      "confidence": "high",
      "tier": "intermediate"
    },
    {
      "id": "claude-code",
      "category": "tooling",
      "name": "Claude Code CLI",
      "confidence": "high",
      "tier": "advanced"
    },
    {
      "id": "claude-md",
      "category": "continuity",
      "name": "CLAUDE.md",
      "confidence": "high",
      "tier": "intermediate"
    }
  ],
  "score": {
    "total": 42,
    "tier": "Builder",
    "level": 4,
    "categories": { "tooling": 18, "continuity": 8, "..." : "..." }
  }
}

Sanitization Pipeline

When you opt into --submit, the sanitizeForSubmit() function runs before any network call. It uses a whitelist approach:

  • File paths like ~/.zshrc are normalized to generic labels (shell-config)
  • Only numeric counts and enum-like strings pass through the detail whitelist
  • Agent names, alias names, and identifying details are stripped
  • Platform is set to "redacted"

Multi-Machine Merge Flow

The merge feature lets you combine scans from two machines (e.g., work laptop + personal desktop) into a single score:

  1. 1.Machine A scans locally and submits → receives a handle
  2. 2.You share the handle with Machine B
  3. 3.Machine B runs npx vibecheck-score --merge-from <handle>
  4. 4.Machine B fetches detection IDs only (not raw data) from Machine A's submission
  5. 5.Machine B runs its own local scan, combines detections, and submits the merged result

At no point does one machine receive the other's raw scan data, file paths, or config contents.

What The Scan Doesn't Collect

  • No source code or file contents
  • No secret values or API keys
  • No network calls during scanning
  • No persistent installation
  • No file modifications
  • No IP logging
  • No analytics or telemetry
  • No cookies or tracking

The submit API endpoint is open source: api/submit/route.ts