build-with-tambo

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and instructs using API keys on the command line (e.g., npx tambo init --api-key=sk_...) and creating .env files with those values, which requires the agent to accept and embed secrets verbatim in commands/files, an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime commands like "npx tambo init --api-key=sk_..." (which causes npx to fetch and execute the remote "tambo" npm package from the npm registry, i.e., registry.npmjs.org), so it relies on fetching and running external code at runtime.