modelslab-audio-generation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and functions accept an api_key parameter and embed it directly into HTTP request bodies (e.g., "key": api_key) and usage examples show "your_api_key", which requires the agent to read and include secret values verbatim in generated requests or code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly accepts and transcribes publicly accessible audio URLs (see the "Speech to Text" section and the sample speech_to_text function and the Best Practices note that "Audio URLs for speech-to-text must be publicly accessible"), which means the agent will ingest untrusted third-party audio content and interpret it as part of its workflow—content that could contain instructions influencing subsequent actions.