yby6-video-parser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and CLI usage that pass the SiliconFlow API key directly (e.g., --api-key sk-your-key and an api_key=sk-... entry in .env), which encourages embedding secret values verbatim in commands/outputs and therefore poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill directly fetches and parses arbitrary public sharing URLs (e.g., in scripts/parser/*.py and the main parse_video_by_url / parse_and_download_video flow in scripts/skill.py and SKILL.md), ingesting untrusted, user-generated web content from social platforms (Douyin, Twitter, Bilibili, Weibo, etc.) and using the parsed fields (video_url, title, etc.) to drive downloads and transcription, so third-party content can materially influence tool use and next actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill instructs installing system packages with explicit sudo commands (e.g., "sudo apt install ffmpeg") and modifying system PATH, which asks the agent/user to perform privileged system changes — so it pushes actions that can modify machine state requiring elevated privileges.