workflow-migration

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to read local .env and environment variables, present detected API tokens and secrets to the user, and auto-generate .env/vm0.yaml entries containing those secret values, which requires the LLM to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md's AGENTS.md example (under "Workflow: Daily News Generation" / "Step 1: Gather News") explicitly instructs the agent to use WebSearch/WebFetch to retrieve full article content from public news sites (e.g., Reuters, BBC, CNN, TechCrunch) and then read/interpret that content to generate summaries and publish to Notion, which clearly exposes the agent to untrusted third-party web content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The vm0.yaml explicitly lists external VM0 skill GitHub URLs (e.g. https://github.com/vm0-ai/vm0-skills/tree/main/notion) which are referenced as required "skills" the agent will load at runtime, meaning remote repository content would be fetched and could directly supply/alter agent behavior or execute code.