▥AGENT LAB: SKILLS — FEB 26 NYCAGENT LAB: SKILLS

skills/lattifai/omni-captions-skills/omnicaptions-transcribe/Snyk

omnicaptions-transcribe

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). This skill instructs the agent to prompt the user for their Gemini API key and to run commands using -k <key> (and save the key to config), which requires handling and embedding the secret verbatim in commands/configs — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and transcribes public YouTube and direct video URLs (see "YouTube Video Workflow" and examples like omnicaptions transcribe "https://youtu.be/abc"), so it ingests untrusted, user-generated third-party content that the agent will read and interpret.

Audit Metadata

Risk Level

HIGH

Analyzed

Feb 15, 2026, 08:21 PM