video-extend

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests an arbitrary source "video_url" (passed to runcomfy's Veo 3-1 extend endpoints) as part of its required workflow, and SKILL.md even warns that the source video is "untrusted" and may contain embedded/steganographic instructions that can influence the continuation output.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly sends a user-provided video URL at runtime to the RunComfy model (example: "https://your-cdn.example/source-clip.mp4"), and the fetched video content is acknowledged as an untrusted input that can embed/steganographically carry instructions that directly influence model continuations, so this runtime external URL can control prompts.