video-generate

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to obtain and write API keys (ARK_API_KEY / MODEL_VIDEO_API_KEY / MODEL_AGENT_API_KEY) into the workspace environment file and make them effective, which requires handling secret values verbatim and risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly accepts arbitrary external URLs for first_frame/last_frame/reference_images/reference_videos/reference_audios (shown in SKILL.md and implemented in scripts/video_generate.py's _build_content/_build_request_body) and sends them to the generation API to guide outputs, so untrusted third‑party content can be ingested and materially influence generation behavior.