pp-vercel-admin
Fail
Audited by Snyk on Jun 18, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The skill explicitly shows storing an auth token by running a CLI command with the token as an argument (
vercel-admin-pp-cli auth set-token YOUR_TOKEN_HERE), which would require the agent/LLM to handle and potentially emit the secret verbatim if used — a high exfiltration risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the runtime to fetch and execute remote installer code (npx -y @mvanhorn/printing-press-library) or install and build remote Go modules (go install github.com/mvanhorn/printing-press-library/.../vercel-admin-pp-cli@latest and github.com/mvanhorn/printing-press-library/.../vercel-admin-pp-mcp@latest), so these external package URLs are runtime dependencies that execute remote code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill exposes explicit, actionable billing/checkout commands that can charge payment methods and purchase items on behalf of an account. Examples:
vercel-admin-pp-cli billing buy-credits("Purchases credits for a Vercel team using the default payment method on file"),vercel-admin-pp-cli registrar buy-domains/registrar buy-single-domainandregistrar renew-domain(domain purchase/renewal), plus features like automatic billing plan handling instorage. These are direct financial execution operations (initiate purchases/charges), not merely generic tooling, so the skill grants direct financial execution capability.
Issues (3)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata