skills/vercel-labs/academy-skills/building-agents-with-eve/Snyk

building-agents-with-eve

Warn

Audited by Snyk on Jun 21, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.85). Teaching mode fetches lesson content from the public Vercel Academy HTTP endpoint (GET https://vercel.com/academy/building-agents-with-eve/<lesson-slug>.md), and that fetched free-form Markdown/lesson text is then read and used as LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill's Teaching Mode fetches lesson markdown at runtime from the Vercel Academy endpoints (e.g. GET https://vercel.com/academy/building-agents-with-eve/.md and https://vercel.com/academy/building-agents-with-eve.md) and explicitly follows the returned directives, so remote content directly controls the agent's instructions/prompts at runtime.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Jun 21, 2026, 02:54 AM

Issues

2

Security Audit — snyk — building-agents-with-eve