vm0-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill prompt contains multiple examples and non-interactive commands that embed secrets verbatim (e.g., --credential "sk-...", --secrets API_KEY=xxx, export VM0_TOKEN=vm0_live_..., vm0 secret set --body "..."), which would require the LLM to output actual secret values in generated commands or scripts.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and uses third‑party content (e.g., the "skills" URLs in vm0.yaml pointing to GitHub and the "vm0 agent clone" step which "downloads instructions file (e.g., AGENTS.md)"), so user-authored/public files are fetched and used as agent instructions/skills and can change runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The vm0.yaml "skills" field explicitly lists remote GitHub skill URLs (e.g., https://github.com/vm0-ai/vm0-skills/tree/main/github) which the CLI downloads/includes as part of agent configuration at deploy/run time, meaning fetched content can directly control agent behavior or provide executable skill code.