Add SafeSkill security badge (97/100 — Verified Safe)

[OyaAIProd]

✅ SafeSkill Security Scan Results

Metric	Value
Overall Score	97/100 (Verified Safe)
Code Score	99/100
Content Score	92/100
Findings	25 findings detected (1 critical)
Taint Flows	0
Files Scanned	2
Scan Duration	2.3s

Top Findings

• 🔴 critical: Accesses sensitive environment variable: VULK_API_KEY (src/index.ts:55)
• 🟡 medium: Makes HTTP request via fetch (src/api.ts:31)
• 🟡 medium: Makes HTTP request via fetch (src/api.ts:93)
• 🟡 medium: Accesses environment variables (src/api.ts:6)
• 🟡 medium: Accesses environment variables (src/index.ts:55)

View full report on SafeSkill

---

About SafeSkill

SafeSkill is a free, open-source security scanner for AI tools, MCP servers, and Claude Code skills. We scan for code exploits, prompt injection, and data exfiltration risks.

False positive? We take accuracy seriously. If any finding above is incorrect, please open an issue and we will fix it immediately.

• GitHub | Website | Docs
• Built by Oya.ai -- AI Employees Builder

Summary by CodeRabbit

• Documentation
  • Added a SafeSkill verification badge link to the documentation.

[coderabbitai]

📝 Walkthrough

Walkthrough

A SafeSkill verification badge link was added to the README.md file under the "What This Does" section. This is a documentation-only addition requiring no code changes.

Changes

Cohort / File(s)	Summary
Documentation README.md	Added SafeSkill verification badge link under the "What This Does" section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A badge so shiny, verification true,
In the README it gleams, a link anew,
SafeSkill declares the project's worth,
A tiny change that proves its birth! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: adding a SafeSkill security badge with a verified safety score.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

README.md (1)

25-26: SafeSkill report URL is accessible and correct.

The SafeSkill badge URL is publicly accessible (HTTP 200) and correctly links to the repository's security report.

Consider placing the badge with other badges for visual consistency.

The SafeSkill badge is currently isolated under the "What This Does" section. For better visual organization and consistency, move it to lines 11-15 where the other badges (npm, vulk.dev, license) are grouped.

📝 Alternative placement with other badges

Remove from current location:

 ## What This Does
 
-[![SafeSkill 97/100](https://img.shields.io/badge/SafeSkill-97%2F100_Verified%20Safe-brightgreen)](https://safeskill.dev/scan/devjoaocastro-vulk-mcp-server)
-
 This MCP server connects AI coding assistants to VULK's app builder.

Add with other badges at the top:

 <p align="center">
   <a href="https://www.npmjs.com/package/@vulk/mcp-server"><img src="https://img.shields.io/npm/v/@vulk/mcp-server?color=0D9373" alt="npm" /></a>
   <a href="https://vulk.dev"><img src="https://img.shields.io/badge/vulk.dev-live-0D9373" alt="VULK" /></a>
   <a href="https://github.com/devjoaocastro/vulk-mcp-server/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="MIT License" /></a>
+  <a href="https://safeskill.dev/scan/devjoaocastro-vulk-mcp-server"><img src="https://img.shields.io/badge/SafeSkill-97%2F100_Verified%20Safe-brightgreen" alt="SafeSkill 97/100" /></a>
 </p>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 25 - 26, Move the SafeSkill badge markdown line that
starts with "[![SafeSkill 97/100]" out of the "What This Does" section and place
it alongside the existing badge group near the top where the npm, vulk.dev and
license badges are defined so all badges are visually grouped; locate the badge
line in README.md (the full "[![SafeSkill
97/100](https://img.shields.io/...)](https://safeskill.dev/...)" string) and
insert it with the other badges, removing the original isolated occurrence.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@README.md`:
- Around line 25-26: Move the SafeSkill badge markdown line that starts with
"[![SafeSkill 97/100]" out of the "What This Does" section and place it
alongside the existing badge group near the top where the npm, vulk.dev and
license badges are defined so all badges are visually grouped; locate the badge
line in README.md (the full "[![SafeSkill
97/100](https://img.shields.io/...)](https://safeskill.dev/...)" string) and
insert it with the other badges, removing the original isolated occurrence.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0b5939c4-bacf-4d83-affe-d05ea4fe33c6

📥 Commits

Reviewing files that changed from the base of the PR and between 61128dc and 06eb19c.

📒 Files selected for processing (1)

• README.md