vibesubin

vibesubin

A portable skill plugin that teaches your AI assistant to refactor, audit, and deploy your code the way I wish it would by default — and lets you run all of it at once with /vibesubin.

It's built for people who ship real things with AI but weren't trained as developers. These are the habits I use when I'm coding with an AI myself, packaged as skills so your assistant can follow them without you having to know every rule.

The same SKILL.md files work in Claude Code, Codex CLI, and any agent supported by skills.sh — Cursor, Copilot, Cline, and others. Write once; every host picks it up.

한국어 · 中文 · 日本語

Quick start

Install Claude Code, then run:

/plugin marketplace add subinium/vibesubin
/plugin install vibesubin@vibesubin

Open a repo. Type /vibesubin. Every skill fans out across your code in parallel, read-only, and comes back with a single prioritized report — nothing is modified until you approve items. When you want a skill to actually do the work, call it by name (/refactor-verify, /setup-ci, etc.) and it edits your files directly.

Using Codex CLI, Cursor, Copilot, or Cline? Jump to Install.

What vibesubin is, and what it isn't

A small bundle of AI skills — SKILL.md files — that your agent picks up automatically whenever a request matches. You don't memorize trigger phrases. You just say what you want in plain words — "split this file safely", "is anything leaking?", "set up deploy" — and the right skill runs.

The rule every skill shares: they don't say done until they can show you the evidence. A refactor isn't finished because the AI rewrote the file; it's finished because four independent checks confirm nothing was dropped, moved, or mis-wired. A security sweep isn't a vibes-based paragraph; it's a triaged list where each hit is either real, a false alarm, or flagged for human review, with a file and a line number.

What it is not: not a SaaS (nothing leaves your machine), not a compliance tool (no SOC 2 / HIPAA), not a code generator. It improves the repo you already have.

Read-only sweeps vs. skills that actually edit

This is the thing to get straight early. There are two ways to use the plugin, and they behave very differently.

• Sweep mode (/vibesubin). Every skill runs in parallel, read-only. They produce findings, not fixes. Nothing in your repo changes until you approve items from the report. This is the "I want an honest second opinion" mode.
• Direct call (/refactor-verify, /setup-ci, /write-for-ai, /manage-secrets-env, /project-conventions, /unify-design). The skill does its full job, which includes editing files. refactor-verify rewrites your code across the dependency tree. setup-ci drops working YAML into .github/workflows/. write-for-ai edits your README. manage-secrets-env scaffolds .env.example, .gitignore, and runs the full secret lifecycle. project-conventions scaffolds Dependabot, enforces pinning, fixes hardcoded paths. unify-design scaffolds the tokens file and rewrites components to reference it. These are the "do the work" modes.

Three skills never edit regardless of how you call them: fight-repo-rot (pure diagnosis — finds dead code and smells, hands off to refactor-verify for deletions), audit-security (static triage report only), and manage-assets (bloat report only — never rewrites history, never deletes files). Everything else — refactor-verify, setup-ci, write-for-ai, manage-secrets-env, project-conventions, unify-design — is a real worker skill when called directly, and a read-only reporter when invoked via the sweep.

Today's lineup