paw-cra-agent-video-producer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to load API keys from local config (fal_key, elevenlabs_api_key, etc.) and to use curl for API jobs, which implies generating commands/requests that embed those secrets verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Research & Learn workflow (references/research-capability.md) explicitly instructs the agent to "research the topic using available web search tools," which requires fetching and ingesting public web content that the agent will read and use to influence production decisions, exposing it to untrusted third‑party/user‑generated content.