tavus-video-gen

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's curl examples require placing the API key directly in request headers (x-api-key: YOUR_API_KEY), which instructs replacing the placeholder with the real secret and thus would cause the model to handle/output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill accepts arbitrary external URLs (e.g., background_url which "records a scrolling website as the background", plus audio_url/background_source_url/watermark_url) and fetches/ingests public website and media content, exposing the agent to untrusted third‑party content that could carry indirect prompt injection.