modelslab-interior-design

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's example code and payloads explicitly pass an API key as "key": api_key (and show "your_api_key" in usages), which requires the agent to embed user-provided secrets directly into generated requests or code, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill accepts arbitrary public image URLs via parameters like init_image and object_image (used in endpoints such as /api/v6/interior/interior, /floor_planning, and /interior_mixer) and sends those untrusted/user‑provided images to the ModelsLab API to be interpreted as part of its workflow, which could enable indirect prompt injection.