The skill contains hardcoded credentials, lacks necessary tool constraints, and exposes potential remote code execution vulnerabilities through unconstrained execution backends and insecure configuration practices.
npx skills add https://github.com/firecrawl/ai-research-skillsHardcoded credentials detected. Passwords, API keys, and secrets should not be hardcoded in source code. Use environment variables or a secrets manager instead.
api_key="nvapi-your-key-here"
The provided configuration examples encourage hardcoding API keys directly into YAML files, which are often committed to version control systems.
api_key: "nvapi-your-key-here"
NER model detected organization in skill content (confidence: 0.52)
L*
NER model detected organization in skill content (confidence: 0.54)
N****
NER model detected organization in skill content (confidence: 0.57)
S********
NER model detected organization in skill content (confidence: 0.59)
D*****
NER model detected organization in skill content (confidence: 0.61)
E*********
NER model detected organization in skill content (confidence: 0.62)
M*******
NER model detected organization in skill content (confidence: 0.67)
M***
NER model detected organization in skill content (confidence: 0.69)
N******
NER model detected organization in skill content (confidence: 0.72)
S******
NER model detected organization in skill content (confidence: 0.75)
N*****
NER model detected organization in skill content (confidence: 0.81)
H********
NER model detected organization in skill content (confidence: 0.90)
O********
NER model detected organization in skill content (confidence: 0.97)
L*****
NER model detected organization in skill content (confidence: 0.57)
*
NER model detected organization in skill content (confidence: 0.79)
*
NER model detected organization in skill content (confidence: 0.81)
*
NER model detected organization in skill content (confidence: 1.00)
M**
The tool supports 'adapter and interceptor' systems and Slurm HPC execution, which, if not strictly sandboxed, could allow for remote code execution on the host or cluster nodes via malicious configuration files. [ensemble: confirmed by 3/3 passes; severity set to the agreed median (ADR-0067).]
See [references/adapter-system.md](references/adapter-system.md)
Unpinned dependency installation — package installed without version pinning
pip install nemo-evaluator-launcher
SKILL.md links to "references/adapter-system.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[references/adapter-system.md](references/adapter-system.md)
SKILL.md links to "references/configuration.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[references/configuration.md](references/configuration.md)
SKILL.md links to "references/custom-benchmarks.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[references/custom-benchmarks.md](references/custom-benchmarks.md)
SKILL.md links to "references/execution-backends.md" but the file is not part of the skill package — the workflow silently degrades or the content is sourced elsewhere at runtime
[references/execution-backends.md](references/execution-backends.md)
The SKILL.md 'name' field does not match the skill's parent directory name, which the Agent Skills spec requires. A mismatch can confuse skill resolution or mask the skill's real identity.
nemo-evaluator-sdk ≠ nemo-evaluator
[](https://mondoo.com/ai-agent-security/skills/github/firecrawl/ai-research-skills/nemo-evaluator)<a href="https://mondoo.com/ai-agent-security/skills/github/firecrawl/ai-research-skills/nemo-evaluator"><img src="https://mondoo.com/ai-agent-security/api/badge/github/firecrawl/ai-research-skills/nemo-evaluator.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/firecrawl/ai-research-skills/nemo-evaluator.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.