modelslab-deepfake

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and functions require accepting an API key and embedding it directly into HTTP request bodies (and show a literal "your_api_key" placeholder), which forces the agent to handle and potentially output secret values verbatim in requests or generated code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill accepts arbitrary public image/video URLs as inputs (init_image, init_video, target_image, source_image) and processes those untrusted, user-provided media via the ModelsLab API, which means third-party content is ingested as part of the agent's runtime workflow and could carry indirect instructions (e.g., visible text or audio in media).