vibe-check

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The CLI examples explicitly show typing passwords/secret strings via commands (e.g., vibium type ... "secret"), which requires embedding secret values verbatim in generated commands/outputs and thus exposes them.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill exposes the agent to arbitrary public webpages via commands like "vibium navigate " and then reads that untrusted content with "vibium text", "vibium html", and "vibium eval", which can allow indirect prompt injection from third‑party sites.