medeo-video

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt tells the agent to ask the user for an API key and then embed it verbatim into a command-line invocation (e.g., --api-key "mk_..."), which requires the LLM to output the secret directly and exposes it.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and uploads arbitrary public URLs as input assets (docs/assets-upload.md and the --media-urls/ upload flow in scripts/medeo_video.py → api_create_media_from_url / upload_media_urls), and those untrusted third‑party images/videos are incorporated by the AI video creation workflow (compose/render) and therefore can materially influence generation and subsequent actions (e.g., delivery steps), enabling indirect prompt injection via user-provided web content.