ffmpeg

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes an example that embeds an Authorization Bearer token directly into an ffmpeg command-line (ffmpeg -headers "Authorization: Bearer TOKEN\r\n"), which encourages putting secrets verbatim into generated commands and thus risks secret exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow explicitly shows fetching public media (e.g., "ffmpeg -i 'https://example.com/playlist.m3u8'" in section 11 and the "yt-dlp -f bestvideo+bestaudio URL" mention in Related Tools) and then running a "Video Analysis (Sub-Agent Pattern)" where the agent reads synthesized text summaries from analyzed frames, meaning untrusted user-generated web content can be fetched and its extracted summaries interpreted and used to drive subsequent actions.