skills/uxuiprinciples/agent-skills/vibe-coding-advisor/Snyk

vibe-coding-advisor

Warn

Audited by Snyk on Apr 5, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.85). The skill explicitly fetches external prompts from the public API at https://uxuiprinciples.com/api/v1/principles (see toolbox.get_principle_prompts curl command) and then selects and injects those third-party "vibeCodingPrompts" into the assembled_context that will drive downstream code-generation, so untrusted external content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime curl calls to https://uxuiprinciples.com/api/v1/principles?slug={slug}&include_content=true (and the include_content=false variant) to fetch vibeCodingPrompts that are then injected into the agent's generation prompts, so remote content directly controls prompts and is a required dependency.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 5, 2026, 09:23 AM

Issues

2