oma-deepsec
Facilitates the use of Vercel's deepsec vulnerability scanner for secure and cost-effective scanning and triaging of code repositories.
Install this skill
or
59/100
Security score
The oma-deepsec skill was audited on May 13, 2026 and we found 9 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
medium line 183
Template literal with variable interpolation in command context
SourceSKILL.md
| 183 | ```bash |
medium line 87
Access to .env file
SourceSKILL.md
| 87 | 4. Check for an AI credential in `.env.local` or shell env; if none, route to credential setup before any `process` / `revalidate` / `triage` call. |
medium line 110
Access to .env file
SourceSKILL.md
| 110 | | `Missing AI credentials for --agent claude` / `codex` | Pick a credential mode (gateway key / OIDC / direct / subscription) per `resources/config.md` and write `.env.local`. | |
medium line 111
Access to .env file
SourceSKILL.md
| 111 | | `401 Unauthorized` from gateway | OIDC: re-run `vercel env pull` (12 h expiry). API key: regenerate. Confirm `.env.local` is in the cwd deepsec runs from. | |
medium line 130
Access to .env file
SourceSKILL.md
| 130 | | Detect existing workspace and credentials | `READ` | `.deepsec/`, `.env.local`, env vars | |
low line 160
Access to .env file
SourceSKILL.md
| 160 | # Edit .env.local: set AI_GATEWAY_API_KEY=vck_… (or VERCEL_OIDC_TOKEN via `vercel env pull`) |
medium line 199
Access to .env file
SourceSKILL.md
| 199 | | `LOCAL_FS` | `.deepsec/deepsec.config.ts`, `.deepsec/.env.local`, `.deepsec/matchers/`, `.deepsec/data/<id>/{project.json,INFO.md,config.json,files/,runs/,reports/}`, generated `findings/`, `comment |
medium line 214
Access to .env file
SourceSKILL.md
| 214 | - Writes `.env.local` (never commit) and may run `vercel link` / `vercel env pull` (writes `.vercel/project.json` + token). |
medium line 230
Access to .env file
SourceSKILL.md
| 230 | 9. **Never echo or commit credentials** (`vck_…`, `sk-ant-…`, `sk-…`, OIDC tokens). Treat `.env.local` as secret. Treat `data/` as gitignored by default. |
Scanned on May 13, 2026
View Security Dashboard