sd2-pe

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the model to extract and emit asset URLs or raw asset-xxx IDs verbatim in the mapping (e.g., "资产 ID: [asset-xxx]"), which forces the LLM to handle and output potentially sensitive identifiers/tokens directly, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Step 2 ("多模态 JSON/文本解析与自动映射") explicitly requires scanning user-provided JSON for non-text objects like "type": "image_url" / "video_url" and extracting their "url" or asset IDs, which means it ingests arbitrary user-supplied/public URLs and uses them in the prompt-generation workflow—allowing untrusted third-party content to influence subsequent actions.