vercel-ai-sdk

[Skill Scanner] Installation of third-party script detected This SKILL.md is an integration guide that is internally consistent with its stated purpose. There is no direct malicious code in the document itself. However, it contains two risky operational recommendations: (1) running the MCP package via 'npx @picahq/mcp' without advising version pinning or integrity verification (supply-chain risk), and (2) spreading the entire process.env into the subprocess env (credential exposure risk). Those choices could enable secret exfiltration or execution of untrusted code when followed in real projects. Overall, the file is not itself malicious, but following the guidance as-is raises supply-chain and secret-leakage concerns and should be hardened before use in sensitive environments. LLM verification: Functionally, the example correctly demonstrates how to wire an MCP stdio transport into the Vercel AI SDK. The primary security concerns are supply-chain and credential exposure risks: (1) using npx without an explicit pinned version causes runtime downloading/execution of third-party code, and (2) spreading the entire process.env to that subprocess exposes unrelated secrets. There is no direct evidence of embedded malicious code in this documentation fragment, but the recommended patterns mate