advanced-video-downloader

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs embedding API keys and cookies directly into commands and script arguments (e.g., --api-key sk-xxx, SILICONFLOW_API_KEY=sk-xxx, passing cookies via cookies.txt and reading cookie values), which would require the agent to request and/or emit secret values verbatim in its output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and scrapes untrusted, user-generated content—e.g., scripts/twitter_video_downloader.py uses Playwright to search x.com and extract tweet/video URLs and yt-dlp downloads arbitrary public social-media/video URLs which are then transcribed—so the agent ingests and interprets third‑party web/user content.