iblai-vibe-agent-tool
Fail
Audited by Snyk on Jul 7, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt includes explicit instructions and examples to set raw token/credential values in API request bodies and headers (e.g., "Bearer abc123", "Token super-secret") for MCP server connections, which implies the LLM could be required to accept and emit secrets verbatim when constructing those requests.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). The skill’s runtime workflow can ingest outsider-authored free text via MCP server responses/events (e.g.,
warning/error/messagefields and any tool output returned over WebSocket/SSE), which are not authored by the operating user and are fed into the agent/chat context.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata