multimodal-gen

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill sends user prompts to an external API (https://xingjiabiapi.com/v1) in prompt_optimizer.py and generate_image.py/generate_video.py — it ingests the optimizer model's returned text (used as the optimized prompt) and follows URLs/base64 returned by that third-party service as part of its core workflow, so untrusted third‑party content can directly alter prompts and subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill calls the external API at https://xingjiabiapi.com/v1 at runtime (used by prompt_optimizer.py, generate_image.py, and generate_video.py) to obtain optimized prompt text and generation responses which are injected into the agent's prompts/flow, making this remote endpoint a required runtime dependency that directly controls agent instructions.