vm0-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains multiple examples and non-interactive commands that show API keys and secrets embedded verbatim (e.g., --credential "sk-...", --secrets API_KEY=..., --body "sk-...", export VM0_TOKEN=...), so an agent following these instructions may be required to output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md shows vm0.yaml can include public skill URLs (e.g., https://github.com/vm0-ai/vm0-skills/...) and documents that "vm0 agent clone" downloads the agent's compose and instructions file (e.g., AGENTS.md) which the agent will use when run (vm0 run), meaning arbitrary public GitHub or instructions files can be ingested and materially change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The vm0.yaml examples include skill URLs (e.g., https://github.com/vm0-ai/vm0-skills/tree/main/github and https://github.com/vm0-ai/vm0-skills/tree/main/slack) which the docs describe as "List of skill URLs to include" and are therefore fetched/installed as agent skills at runtime and can supply instructions/code that control agent behavior.