Skills
skills/erezrokah/skills/vercel-to-cloudflare-migrator/Snyk

vercel-to-cloudflare-migrator

Warn

Audited by Snyk on Apr 24, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.70). The skill's Phase 5 explicitly requires live WebFetch of public Cloudflare documentation pages (e.g., developers.cloudflare.com/... pricing pages) and Phase 2 pulls Vercel invoice data from the public Vercel API, and those fetched pages/line-items are parsed and used to compute cost estimates and provisioning decisions — meaning untrusted third-party content is ingested and can materially influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs "npx --yes vinext@latest check" at runtime, which fetches and executes remote code from the npm registry (e.g., https://registry.npmjs.org/vinext) and is treated as an authoritative, required dependency for the compatibility audit.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 24, 2026, 09:06 PM
Issues
2