vercel-ai-sdk

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] BENIGN but with privacy/data-leak risk: The code is consistent with its stated purpose (Vercel AI SDK integration). It does not contain obvious malware or backdoors. However, the example demonstrates directly serializing and embedding database product data into model prompts, which can leak sensitive or PII data to the AI provider. Recommend adding guidance on data minimization, redaction, and obtaining consent before sending store data to third-party models. LLM verification: Functionally this skill/document is consistent with its stated purpose and contains no obvious malware or obfuscated code. The main security concern is data exfiltration: the example explicitly sends session.shop and a JSON dump of product documents to an external LLM provider (via the ai/@ai-sdk/openai integration). That flow is reasonable for a shop-aware assistant but should be treated as a deliberate disclosure of potentially sensitive business/customer data. Recommendations: minimize and sa