video-tool

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to ask users for API keys and then run commands embedding those secrets verbatim (e.g., video-tool config keys --set KEY=VALUE or showing actual key strings in credential files), which requires the LLM to handle and output secret values directly, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). The astral.sh link is a direct installer script (curl|sh) from a third‑party domain (high risk), the GitHub repo is from an unknown user (moderate risk), while the YouTube URL is benign — overall this set includes suspicious download vectors that could distribute malware.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation steps fetch and execute remote code required for runtime: "curl -LsSf https://astral.sh/uv/install.sh | sh" and "uv tool install git+https://github.com/alejandro-ao/video-tool-cli.git" (both download and run external code/repos during setup).