generate-image-by-seedream

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt instructs the agent to detect ARK_API_KEY and, if missing, to ask the user for an API key and supports an api_key field in YAML—encouraging the collection and possible verbatim embedding of secrets rather than keeping them only in environment variables.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's CLI and docs (SKILL.md/README) and the implementation (scripts/generate_image.py) accept arbitrary HTTP/HTTPS reference image URLs (via --image / images in YAML) which are sent to the Ark API and used as input for image generation, meaning untrusted third‑party content can directly influence model behavior.