Skills
skills/simonstrumse/vibelabs-skills/google-deep-research/Snyk

google-deep-research

Fail

Audited by Snyk on Feb 28, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill's examples and workflow require embedding API keys directly into request headers and assigning them into code variables (and even show key-like strings), which forces the agent/LLM to handle and potentially output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs sending queries to Google's Deep Research API which "runs comprehensive research queries server-side, searching multiple web sources" and returns synthesized reports with source citations/URLs (e.g., "Search ESG reports, press releases, LinkedIn..." in Query Design), so the agent consumes untrusted public web content that can materially influence its findings and actions.
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 28, 2026, 04:50 AM