@554/youtube-summary

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill allows and even instructs providing the Supadata API key "directly when prompted" and shows a curl example that would embed the key in requests, which creates a high risk of the LLM handling or echoing secrets verbatim rather than only using env vars.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md Workflow Step 2 explicitly fetches transcripts via the Supadata API for arbitrary YouTube URLs (public/user-generated third-party content) which the agent then reads and uses to drive summarization, allowing untrusted content to influence its outputs and actions.