The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/hifly_client.py contains a hardcoded API token (DEFAULT_TOKEN = "2aeda3bcefac46a3"). While documentation indicates this is a public demo token for limited watermarked use, hardcoding functional credentials in source code is a security risk.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted user-provided data that is subsequently used as parameters for the external video generation service. * Ingestion points: args.text, args.audio, and args.image in scripts/hifly_client.py. * Boundary markers: Not present; user input is passed directly to API requests without delimiters or instructions to ignore embedded commands. * Capability inventory: The skill has network access via the requests library and can upload local files to the Flyworks API. * Sanitization: No validation or filtering is performed on the input text or media sources.
[DATA_EXFILTRATION]: The skill transmits user-specified local files and text to the vendor's API at hfw-api.hifly.cc for the purpose of video generation.

flyworks-avatar-video