The skill insecurely fetches and executes remote instructions, enabling unauthorized third parties to dynamically override the agent's behavior and bypass safety controls.
npx skills add https://github.com/vercel-labs/agent-skillsThe skill fetches external instructions from a remote URL and mandates that the agent follow them, allowing an attacker to modify the agent's behavior or output format dynamically. [ensemble: confirmed by 3/3 passes; severity set to the agreed median (ADR-0067).]
https://raw.githubusercontent.com/vercel-labs/web-interface-guidelines/main/command.md
Skill does not specify a license field. Specifying a license helps users understand usage terms.
[](https://mondoo.com/ai-agent-security/skills/github/vercel-labs/agent-skills/web-design-guidelines)<a href="https://mondoo.com/ai-agent-security/skills/github/vercel-labs/agent-skills/web-design-guidelines"><img src="https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-skills/web-design-guidelines.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/agent-skills/web-design-guidelines.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.