pp-vercel-admin

Fail

Audited by Snyk on Jun 18, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.90). The skill explicitly shows storing an auth token by running a CLI command with the token as an argument (vercel-admin-pp-cli auth set-token YOUR_TOKEN_HERE), which would require the agent/LLM to handle and potentially emit the secret verbatim if used — a high exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the runtime to fetch and execute remote installer code (npx -y @mvanhorn/printing-press-library) or install and build remote Go modules (go install github.com/mvanhorn/printing-press-library/.../vercel-admin-pp-cli@latest and github.com/mvanhorn/printing-press-library/.../vercel-admin-pp-mcp@latest), so these external package URLs are runtime dependencies that execute remote code.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill exposes explicit, actionable billing/checkout commands that can charge payment methods and purchase items on behalf of an account. Examples: vercel-admin-pp-cli billing buy-credits ("Purchases credits for a Vercel team using the default payment method on file"), vercel-admin-pp-cli registrar buy-domains / registrar buy-single-domain and registrar renew-domain (domain purchase/renewal), plus features like automatic billing plan handling in storage. These are direct financial execution operations (initiate purchases/charges), not merely generic tooling, so the skill grants direct financial execution capability.

Issues (3)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Jun 18, 2026, 01:50 PM
Issues
3
Security Audit — snyk — pp-vercel-admin