ai-video-production-master

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's runtime scripts (notably scripts/cloud_i2v_batch.py and the onstart script) query and parse Vast.ai marketplace offers, interact with remote instances, and download model/artifacts from public Hugging Face URLs (and similar cloud providers), so it clearly ingests and acts on untrusted, third‑party web content as part of its workflow (offers, instance metadata, and downloaded model files).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's onstart script (executed at instance launch) wget's model artifacts from Hugging Face — e.g. https://huggingface.co/city96/Wan2.1-I2V-14B-480P-GGUF/resolve/main/wan2.1-i2v-14b-480p-Q5_K_M.gguf (and related Comfy-Org model URLs) — which are fetched at runtime and loaded/executed by ComfyUI as required model dependencies, so remote content directly affects the agent's execution environment.