giggle-generation-image

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt forbids embedding the API key but explicitly requires returning full signed URLs containing Policy/Key-Pair-Id/Signature query parameters (secret tokens) verbatim from API responses, which forces the LLM to output sensitive credential-like values.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and fetches arbitrary external reference image URLs (see "Image-to-image
• Reference URL" in SKILL.md and the scripts/generation_api.py _parse_reference_image / image_to_image and download_images functions), meaning untrusted third‑party content is ingested and used as input that can materially influence generation outputs.