rw-generate-video

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly allows/encourages passing the Runway API key as a --api-key command-line argument (or otherwise supplying RUNWAYML_API_SECRET), which can lead the agent to request and embed the secret verbatim in generated commands or scripts, an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill accepts arbitrary remote media via the documented --image-url and --video-url parameters in SKILL.md, so it can fetch and ingest untrusted third-party images/videos (e.g., public URLs) that the generation pipeline will read and use to influence outputs, enabling indirect prompt-injection risk.