Methodology
A transparent description of how VibeGate performs automated analysis and what the results mean.
Overview
VibeGate applies fully automated static and dynamic analysis to AI agent skill packages. Results are summarised, scored, and recorded in a public ledger. No human review is performed unless explicitly purchased. All analysis is probabilistic and indicator-based — findings do not constitute a professional security assessment.
Analysis Pipeline
-
1
Artifact Intake & Hash Binding
The submitted skill package is received and an SHA-256 digest is computed immediately on arrival. All subsequent findings are cryptographically bound to this digest. Any modification to the package — even a single byte — produces a different hash and invalidates prior scan records for that artifact.
-
2
Static Analysis
The source code and dependency manifest are analysed without execution. Checks include: declared permission and capability scope, known-vulnerable dependency versions, obfuscated or encoded code blocks, hardcoded credentials patterns, and unexpected network or filesystem declarations. Results are summarised into structured findings.
-
3
Sandbox Execution
The skill is executed in an isolated, network-monitored environment. Observed behaviors — outbound connections, filesystem writes, process spawning, and environment variable access — are recorded. The sandbox session is time-limited and resource-constrained. Behaviors inconsistent with the skill's declared purpose are flagged as indicators.
-
4
Risk Scoring
Findings from both phases are combined into an integer risk score (0–100). Lower scores indicate fewer observed indicators. Thresholds:
- 0–30 — Verified: No significant indicators detected. Verification is specific to the scanned build hash.
- 31–70 — Under Review: Some indicators present; further review may be warranted.
- 71–100 — Risk Indicators: Multiple automated indicators detected. Detailed findings available in paid report.
-
5
Ledger Entry & Receipt
A permanent receipt is written to the public ledger, containing the artifact SHA-256, scan timestamp (UTC), status, risk score, and redacted finding summary. Full unredacted findings are available only in paid reports. Ledger entries cannot be deleted or modified after creation.
Important Limitations
Automated analysis has inherent limitations. Sophisticated evasion techniques, environment-specific behaviors, or skills that activate only under particular conditions may produce false negatives. Conversely, legitimate skills that use broad permissions for valid reasons may produce false positives.
A "Verified" status means no significant automated indicators were detected for that specific build artifact. It does not constitute a warranty, endorsement, or guarantee of safety. VibeGate is not responsible for any harm arising from reliance on automated scan results.
See our Terms of Service for the full limitation of liability.