Video Summarizer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill usually reads API keys from .env (safe), but it explicitly shows and documents passing an API key as a literal CLI argument (e.g., --api-key "sk-or-v1-YOUR_KEY"), which encourages embedding secrets verbatim in generated commands and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and processes user-generated public content (e.g., YouTube video URLs in SKILL.md Quick Start and CLI examples, and social platforms listed in README like Instagram/TikTok/Twitter/X/Reddit and Google Drive/Dropbox), and the agent is required to read and summarize those third‑party transcripts as part of its workflow, which could enable indirect prompt injection.