byted-seedance-video-generate

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs the agent to request/provision API keys and to write/append them into an environment variable file (making them effective and retrying), which requires handling and embedding secret API key values verbatim — an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill accepts arbitrary public URLs for first_frame/last_frame/reference_images/reference_videos/reference_audios (see SKILL.md params and scripts/video_generate.py where _build_content builds these URL items and _create_video_task sends them to the external /contents/generations/tasks API) and uses them as reference guidance for generation, so untrusted third‑party content can materially influence model behavior.