▍ For agents and tooling
vibecheck runs from your agent.
Claude Code, Cursor, Cline, Aider, OpenAI Codex CLI, devin, and your own custom agents call vibecheck before merging a deploy. Five integration shapes — agent skill manifest, JSON API, MCP server, npm CLI, GitHub Action — all free up to standard rate limits.
Start here
/skill.md is the manifest your agent reads.
Self-contained markdown: when to scan, how to invoke the free tier, how to escalate to a paid deep scan with explicit user authorization, and how to surface critical findings in plain-English consequences ("anyone can drain your Stripe account") rather than rule names.
One fetch. No SDK. The agent ingests it as plain markdown and acts on it.
# Fetch the manifest, paste into your agent's context curl https://vibecheck.themeridianlab.com/skill.md # Or have the agent fetch it directly: # "Read https://vibecheck.themeridianlab.com/skill.md and # scan the deployed URL when I push code."
Integration shapes
Pick the one your agent already speaks.
JSON API
Send a URL. Get the report.
The simplest possible integration. Free tier is 15 scans/minute and 100/hour per IP. Pricing for higher limits. JSON Schema for the response shape (Draft 2020-12).
No auth required for the free tier. Paid (deep scan + subdomain enumeration) uses Authorization: Bearer.
# Free tier — no auth curl -X POST https://vibecheck.themeridianlab.com/api/scan \ -H "Content-Type: application/json" \ -d '{"url":"https://your-app.com","consent":true}' # Deep scan (paid) curl -X POST https://vibecheck.themeridianlab.com/api/scan \ -H "Authorization: Bearer $VIBECHECK_API_KEY" \ -H "Content-Type: application/json" \ -d '{"url":"https://your-app.com","consent":true,"deep":true}' # Anonymized recent findings (public) curl https://vibecheck.themeridianlab.com/api/feed?limit=25
MCP server
For Claude Code, Cursor, Cline.
Connect vibecheck as a Model Context Protocol server. Your agent gets three tools: vibecheck_scan (full report), vibecheck_secrets (secrets-only fast scan), vibecheck_rls_sql (returns autofix RLS policy SQL).
Endpoint: POST https://vibecheck.themeridianlab.com/api/mcp
# Claude Code: ~/.config/claude/mcp.json { "mcpServers": { "vibecheck": { "url": "https://vibecheck.themeridianlab.com/api/mcp" } } } # Cursor: same JSON in cursor settings → MCP servers # Cline: same JSON in cline.mcp.servers
CLI
For CI / GitHub Actions / pre-deploy hooks.
Drop-in for any deploy pipeline. Exits non-zero on critical findings — fails the workflow before merge. JSON output for piping into jq or your own gate logic.
Distributed via npm: vibecheck-cli. Zero runtime deps. Node 18+.
# One-shot npx -y vibecheck-cli https://your-deploy.vercel.app # In CI — fail build on critical findings npx -y vibecheck-cli $DEPLOY_URL --exit-on critical # Tighter gate — fail on any high-severity finding npx -y vibecheck-cli $DEPLOY_URL --exit-on high # Get the JSON report and parse with jq npx -y vibecheck-cli $DEPLOY_URL --json | jq '.grade' # GitHub Actions step - name: vibecheck run: npx -y vibecheck-cli ${{ vars.PREVIEW_URL }} --exit-on critical
Quickfix
Scan finds a problem. Quickfix returns the patch.
The natural completion of the agent loop: /api/scan tells you what's broken, /api/quickfix returns apply-ready code with format, applyWith, verify, and warnings. Supabase RLS findings get parameterised SQL. SRI findings get parameterised shell. Secret-leak findings get a rotation runbook.
Two input shapes: a single {rule, context} or an entire {report} object from a prior scan. Both return the same Patch[] shape. Rate-limited 30/min, 200/hr per IP — higher than scan because patch generation is cheap.
# Quickfix for a single finding curl -X POST https://vibecheck.themeridianlab.com/api/quickfix \ -H "Content-Type: application/json" \ -d '{"rule":"missing_sri_external_script","context":{"url":"https://code.jquery.com/jquery-3.7.1.min.js"}}' # Quickfix from a full scan report — patches every critical/high finding curl -X POST https://vibecheck.themeridianlab.com/api/scan \ -H "Content-Type: application/json" \ -d '{"url":"https://your-app.com","consent":true}' \ | jq '{report: .}' \ | curl -X POST https://vibecheck.themeridianlab.com/api/quickfix \ -H "Content-Type: application/json" --data-binary @- # Response shape { "patches": [ { "rule": "missing_sri_external_script", "title": "Add SRI to code.jquery.com", "severity": "medium", "format": "shell", "code": "# 1. Generate the SHA-384 hash...", "applyWith": "Run the shell snippet, edit your HTML", "verify": "curl -sL https://your-site.com | grep integrity=", "warnings": ["..."], "precise": true, "fixUrl": "https://vibecheck.themeridianlab.com/fix/missing_sri_external_script" } ], "noPatchAvailable": [] }
GitHub Action
Drop-in for any GitHub workflow.
Composite action — pure bash, curl + jq, no Node/Docker/npm. Cold-start ~2s on ubuntu-latest. Optional PR-comment mode posts the top-10 findings to the diff.
Available at: themeridianlab/vibecheck-cf/.github/actions/vibecheck@main
# .github/workflows/security.yml name: vibecheck on: pull_request jobs: scan: runs-on: ubuntu-latest permissions: pull-requests: write steps: - uses: themeridianlab/vibecheck-cf/.github/actions/vibecheck@main with: url: https://${{ env.PREVIEW_URL }} exit-on: critical comment-on-pr: 'true'
Design principles
Why we built this for agents specifically.
Most security scanners are designed for human security engineers. They produce reports nobody reads. Agents are different — they pull JSON, parse it, decide.
Every finding we return has a stable rule name (supabase_service_role_in_client, jwt_alg_none, cors_origin_reflected_with_credentials), a severity enum (critical / high / medium / low / info), and structured evidence. No graphical dashboards. No "log in to see your report." No marketing on the response.
The free tier is enough to run vibecheck on every push during a one-person side project. We charge when you grow into someone who'd benefit from continuous monitoring — not before.