▥AGENT LAB: SKILLS — FEB 26 NYCAGENT LAB: SKILLS

skills/lattifai/omni-captions-skills/omnicaptions-LaiCut/Snyk

omnicaptions-LaiCut

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask the user for their LattifAI API key and to run commands using -k <key> (and save it to config), which requires the LLM to accept and embed the secret verbatim in commands/config — an explicit secret-handling/exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill explicitly processes captions from public/user-generated sources (e.g., YouTube VTT and the example omnicaptions download "https://youtu.be/xxx"), so it ingests untrusted third-party content that the agent is expected to read and align.

Audit Metadata

Risk Level

HIGH

Analyzed

Feb 15, 2026, 08:24 PM