CtrlK
BlogDocsLog inGet started
Tessl Logo

kumar/tessl-agent

Working reference for agents using the Tessl CLI — create and publish plugins/skills, install from the registry, update, lint, and run evals.

68

Quality

86%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

Overview
Quality
Evals
Security
Files

Security

2 findings — 1 high severity, 1 medium severity. You should review these findings carefully before considering using this skill.

High

W007: Insecure credential handling detected in skill instructions

What this means

The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.

Why it was flagged

Insecure credential handling detected (high risk: 1.00). This SKILL.md includes a concrete CLI example that embeds an Authorization Bearer token in a command/header (tessl agent mcp add ... --header "Authorization: Bearer token"), which instructs including secrets verbatim in output/commands and is therefore high-risk.

Report incorrect finding
Medium

W012: Unverifiable external dependency detected (runtime URL that controls agent)

What this means

The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.

Why it was flagged

Potentially malicious external URL detected (high risk: 0.80). The file shows runtime agent-facing commands that contact external endpoints to fetch and install plugins that contain SKILL.md (prompt/instruction) content — e.g. the MCP example URL https://mcp.example.com (SKILL.md:364) and the git install reference github:user/repo (SKILL.md:253) — which can directly control agent prompts when fetched mid-session.

Audited
Security analysis
Snyk