mmx-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and endorses passing API keys as command-line arguments (e.g., --api-key sk-xxxxx) and environment exports, which encourages embedding secret values verbatim in generated commands or code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly accepts and downloads arbitrary remote content—e.g., "mmx vision describe --image " and "mmx search query --q " (see SKILL.md/README examples like mmx vision describe --image https://example.com/img.jpg and the "search query" command), so the agent will fetch and interpret untrusted public URLs and web search results that can materially influence its actions.