vm0-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask users to paste API tokens and shows examples embedding those secrets verbatim into CLI commands (e.g., vm0 secret set --body "xoxb-xxx", --secrets API_KEY=sk-xxx), which requires the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md workflow explicitly instructs the agent to fetch and process open/public third‑party content—e.g., HackerNews, RSS feeds, YouTube, Twitter/X, competitor websites in the "Research" options and to call external endpoints like https://skills.sh/api/search and GitHub skill trees in the "Innovate"/"Find Skills" steps—and that content is read and used to drive processing, summaries, notifications, and automated replies, so untrusted user-generated content could materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs runtime fetches (e.g., curl "https://skills.sh/api/search?q=") and relies on GitHub skill tree URLs (for example https://github.com/vm0-ai/vm0-skills/tree/main/slack and other https://github.com/.../tree/main/{skill-name}) and cloned AGENTS.md/vm0.yaml from the cloud, all of which are fetched at runtime and can contain SKILL.md or agent instructions that directly control prompts/agent behavior.