100Critical
The skill exposes hardcoded credentials, lacks necessary security declarations for network and tool access, and provides insecure implementation instructions while failing to include critical documentation files.
Skill Info
Nameanthropics/knowledge-work-plugins/zoom-cobrowse-sdk
Registrygithub
Version55447a28e6c7
PURLpkg:github/anthropics/knowledge-work-plugins@55447a28e6c7?skill=zoom-cobrowse-sdk
Stars21,418
Installs983
Source
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
GitHub
981 installs
Skills.shDocs
npx skills add https://github.com/anthropics/knowledge-work-pluginsAssessments (4)
AI Agent Traps ↗Hardcoded credentials detected. Passwords, API keys, and secrets should not be hardcoded in source code. Use environment variables or a secrets manager instead.criticalvulnAML.T0055AML.T0037LLM02:2025
Hardcoded credentials detected. Passwords, API keys, and secrets should not be hardcoded in source code. Use environment variables or a secrets manager instead.
95% confidenceline 10
"token": "eyJhbGciOiJIUzI1NiIs..."
Unverified dependency installation instructionsmediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025
The skill instructs users to run 'npm install' without specifying version pins or integrity checks, which could lead to the installation of malicious or compromised packages.
70% confidenceline 171
npm install
Credential custody risk in documentationmediumcredential theftAML.T0055AML.T0037LLM02:2025
The skill provides instructions and code samples for setting up a token server that handles sensitive SDK secrets, which could lead to credential exposure if implemented insecurely by the user.
80% confidenceline 468
const jwt = signJWT(payload, 'YOUR_SDK_SECRET');
Description Mismatchmediumdescription mismatchAML.T0011.000LLM06:2025LLM09:2025
The skill content includes a 'critical' static analysis finding regarding hardcoded credentials, which contradicts the security best practices documented within the skill itself.
85% confidence
The 'Static analysis summary' section explicitly flags '[critical] javascript-hardcoded-credentials — Hardcoded credentials detected', while the documentation warns users not to expose secrets.
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "concepts/jwt-authentication.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[JWT Authentication](concepts/jwt-authentication.md)
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "concepts/session-lifecycle.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[Session Lifecycle](concepts/session-lifecycle.md)
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "examples/agent-integration.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[Agent Integration](examples/agent-integration.md)
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "examples/customer-integration.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[Customer Integration](examples/customer-integration.md)
Referenced file missing from skill packagelowpolicy violation
SKILL.md links to "get-started.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
90% confidence
[Get Started Guide](get-started.md)
Missing licenseinfopolicy violation
Skill does not specify a license field. Specifying a license helps users understand usage terms.
100% confidence
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/anthropics/knowledge-work-plugins/zoom-cobrowse-sdk)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/anthropics/knowledge-work-plugins/zoom-cobrowse-sdk"><img src="https://mondoo.com/ai-agent-security/api/badge/github/anthropics/knowledge-work-plugins/zoom-cobrowse-sdk.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/anthropics/knowledge-work-plugins/zoom-cobrowse-sdk.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow