Skills
skills/vercel-labs/vercel-plugin/benchmark-testing/Snyk

benchmark-testing

Warn

Audited by Snyk on Mar 7, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly installs a public GitHub plugin with "npx add-plugin https://github.com/vercel-labs/vercel-plugin" and then launches Claude Code with --settings .claude/settings.json so the agent loads and executes third‑party plugin code from that public repo, which can influence its tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill installs a plugin at runtime using "npx add-plugin https://github.com/vercel-labs/vercel-plugin", which fetches remote code that is then loaded via .claude/settings.json and can inject or control prompts/skills during agent execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 7, 2026, 08:48 AM