byted-podcast-gen

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs prompting the user for an API key when missing and then "set it to an environment variable" (or accept command-line auth), which will likely cause the agent to accept and emit the secret verbatim (e.g., export or command-line usage), creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill accepts arbitrary public webpage or file URLs as required input (see SKILL.md "网页模式" and examples) and passes the input_url through scripts/podcast.py into the remote PodcastTTS websocket endpoint (ENDPOINT in scripts/podcast.py), meaning untrusted third‑party page/file content can be fetched/ingested and influence generated audio and session behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill sends a user-supplied --input_url (example shown: https://www.volcengine.com/docs/6561/1668014?lang=zh) to the runtime WebSocket endpoint wss://openspeech.bytedance.com/api/v3/sami/podcasttts so the service will fetch that external URL's content and inject it into the generation context (i.e., it uses remote content at runtime to control the produced prompts/output).