iblai-vibe-agent-tool

Fail

Audited by Snyk on Jul 7, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes explicit instructions and examples to set raw token/credential values in API request bodies and headers (e.g., "Bearer abc123", "Token super-secret") for MCP server connections, which implies the LLM could be required to accept and emit secrets verbatim when constructing those requests.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.75). The skill’s runtime workflow can ingest outsider-authored free text via MCP server responses/events (e.g., warning/error/message fields and any tool output returned over WebSocket/SSE), which are not authored by the operating user and are fed into the agent/chat context.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata
Risk Level
HIGH
Analyzed
Jul 7, 2026, 01:01 PM
Issues
2
Security Audit — snyk — iblai-vibe-agent-tool