video-analyzer

[Skill Scanner] Installation of third-party script detected All findings: [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] 结论：该 skill 的功能与其宣称目的（视频内容分析）一致：下载、压缩、上传并调用 Responses API 以生成时间线笔记是合理流程。主要安全风险不是代码中明显的恶意行为，而是数据外发与凭据使用模式：它读取本地 API_KEY 并把视频连同凭证上传到第三方域（ark.cn-beijing.volces.com），并建议使用浏览器 cookies 来获取受限视频——这两点构成潜在的数据泄露/凭据滥用风险。若使用者信任该第三方并对其隐私政策与密钥管理有把握，该技能可用于其预期目的；否则应视为中等到偏高风险并谨慎使用（尤其对敏感视频、私人会话或受版权内容）。 LLM verification: The skill implements a legitimate video analysis workflow (download, compress, upload, request model analysis). There is no clear sign of embedded malware or obfuscated malicious code in the provided fragment. Primary security concerns are operational: forwarding user videos and a bearer API key to a third-party endpoint of unclear provenance, and instructing use of browser cookies for downloads which expands credential exposure. These behaviors represent a supply-chain and privacy risk rather t