▥AGENT LAB: SKILLS — FEB 26 NYCAGENT LAB: SKILLS

skills/lattifai/omni-captions-skills/omnicaptions-translate/Snyk

omnicaptions-translate

Fail

Audited by Snyk on Feb 15, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to ask the user for their Gemini API key and to run commands with -k <key> (and save it to a config file), which requires the LLM to accept and embed the secret verbatim in commands/config — creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The skill explicitly processes external caption files and even lists "Translate YouTube video transcripts" and a related /omnicaptions:download step, so it will ingest public, user-generated caption content (untrusted third-party data) as part of its workflow.

Audit Metadata

Risk Level

HIGH

Analyzed

Feb 15, 2026, 08:21 PM