ai-sdk-v6

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes an explicit example that embeds a bearer token in code (headers: { Authorization: 'Bearer my-api-key' }), which encourages putting secrets directly into generated code/config and could require the model to output secret values verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The MCP example calls createMCPClient with a runtime URL (https://your-server.com/mcp) and then does const tools = await mcpClient.tools(); which are passed into generateText/agents, meaning external content fetched at runtime can supply/alter tools that control agent behavior and cause remote code/tool execution.