vector-embed

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly tells the agent to read file contents (which may include secrets) and pass them verbatim as the positional argument to the CLI (e.g., embed text ""), which forces the LLM to include user-provided secret values in its output/commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill invokes remote npm packages at runtime (e.g., "npx -y ruvector@0.2.25" and "npm install ruvector-onnx-embeddings-wasm"), which fetches and executes third-party code during execution, so this is a required external dependency that runs remote code.