byted-seedance-video-generate

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to obtain and write API keys (ARK_API_KEY / MODEL_VIDEO_API_KEY / MODEL_AGENT_API_KEY) into the workspace environment file and to make them effective, which requires the LLM to handle secret values directly (and likely accept them from the user), creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill accepts arbitrary public URLs for first_frame, last_frame, reference_images, reference_videos, and reference_audios (documented in SKILL.md and implemented in scripts/video_generate.py) and sends those untrusted third‑party resources to the generation API to be interpreted as part of the video-generation workflow, so external content could indirectly inject instructions that alter behavior.