vibe-check

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed plaintext secrets directly into CLI commands (e.g., vibium fill "input" "secret", vibium cookies ), which forces an agent to include secret values verbatim in its generated output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's core workflow explicitly navigates to arbitrary public URLs and ingests page content (e.g., "vibium go " plus commands that read/interpret pages such as "vibium text", "vibium html", "vibium eval", and semantic finds), so untrusted third-party page content can directly influence subsequent clicks, fills, and tool decisions.