grepai-config-reference

github.com/yoanbernabeu/grepai-skills
Verdict: Do not install
4 critical0 high1 medium
F
SCORE 0 / 100
$skillox install grepai-config-referenceSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade F?

score · 0 / 100

The current grade reflects 4 critical findings (any 2+ CRITs → F).

4 CRIT0 HIGH1 MED0 LOW
To reach a higher grade
  • D
    Reach Dtarget score 30

    Resolve 3 of your 4 CRIT findings — any single CRIT still keeps you at D.

  • C
    Reach Ctarget score 55

    Resolve all 4 CRIT findings.

  • B
    Reach Btarget score 75

    Resolve all 4 CRIT.

  • A
    Reach Atarget score 95

    Resolve all 4 CRIT.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-jqnwlvgwc6gkqqasy7whmu13 · Thu, 28 May 2026 17:32:19 GMT · 2ms

crit
Skill references secret env var ${OPENAI_API_KEY}
The skill instructions reference `${OPENAI_API_KEY}`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 55CWE-200
53
54 # API key (for OpenAI, supports env vars)
55 api_key: ${OPENAI_API_KEY}references ${OPENAI_API_KEY} — potential credential leak
56
57 # Parallel requests (OpenAI only, for speed)
crit
Skill references secret env var ${OPENAI_API_KEY}
The skill instructions reference `${OPENAI_API_KEY}`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 256CWE-200
254 provider: openai
255 model: text-embedding-3-small
256 api_key: ${OPENAI_API_KEY}references ${OPENAI_API_KEY} — potential credential leak
257 parallelism: 8
258store:
crit
Skill references secret env var ${OPENAI_API_KEY}
The skill instructions reference `${OPENAI_API_KEY}`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 284CWE-200
282```yaml
283embedder:
284 api_key: ${OPENAI_API_KEY}references ${OPENAI_API_KEY} — potential credential leak
285
286store:
crit
Skill references secret env var ${DATABASE_URL}
The skill instructions reference `${DATABASE_URL}`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 288CWE-200
286store:
287 postgres:
288 dsn: ${DATABASE_URL}references ${DATABASE_URL} — potential credential leak
289```
290
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
View latest scan →
skillox.io/c/grepai-config-reference