video-to-text

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Yes — the prompt explicitly instructs copying browser Cookie header and passing it via the -c option (e.g., video2text extract ... -c "<cookie内容>"), which requires the agent to accept and embed secret cookie strings verbatim into commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly downloads and transcribes public videos from third‑party platforms (e.g., 抖音 and B站) using user-provided URLs and tools like yt-dlp as shown in the "命令使用" (video2text extract ) and "执行流程" sections, so untrusted, user-generated web content is ingested and interpreted at runtime.