vibe-prospecting

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt instructs reading an API key from a local config and passing it directly on the command line (npx ... --api-key "$API_KEY"), which encourages embedding secrets into generated shell commands/outputs and thus creates a high exfiltration risk if the LLM ever prints or substitutes the actual key verbatim.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires running the remote npm CLI via "npx @vibeprospecting/vpai@latest" (which fetches and executes remote code at runtime) and references the production MCP endpoint https://vibeprospecting.explorium.ai/mcp, so it depends on external content that will be fetched and executed during runtime.