vibes

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask for the user's OpenRouter API key and to include it verbatim in a deployment command (e.g., --ai-key "sk-or-v1-your-key"), which requires the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Step 0.5 explicitly instructs the agent to read a user-provided reference image "local path via Read tool, or URL via WebFetch" and to analyze that third‑party URL content to extract colors/layout which will directly guide design and code generation, so arbitrary external (and thus untrusted) content is ingested and can influence next actions.