seedance-2-video-gen

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly asks the assistant to prompt for and accept an EvoLink API key if EVOLINK_API_KEY isn't set and includes usage examples (export EVOLINK_API_KEY=your_key_here), which encourages users to paste keys into the chat and could cause the model to handle or echo the secret verbatim rather than keeping it only in an environment, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly accepts and ingests arbitrary public URLs and web search results (see SKILL.md Step 3 "Reference images/reference videos/reference audio" and the scripts/seedance-gen.sh --image/--video/--audio/--web-search flags, plus references/api-params.md describing model_params.web_search and image_urls/video_urls), so untrusted third-party content is fetched and directly influences model behavior and generation decisions.