comic-drama-master
Fail
Audited by Snyk on Jun 26, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt requires the agent to embed and display TOS signed URLs (including query signature parameters) verbatim in tags and as plain text, forcing the LLM to handle and output sensitive signed URL tokens directly.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). 在步骤3“剧本生成”中会调用
python scripts/web_search.py <query>获取网页搜索摘要(外部公共网页内容),随后这些摘要会被用于生成plot.md/script.md并进入后续 LLM 上下文,从而存在“外部来源自由文本→LLM上下文”的间接提示注入风险。
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.90). Flagged because the skill explicitly instructs the agent to check for and automatically install system packages (ffmpeg) using package managers including commands with sudo (e.g. sudo apt-get install -y ffmpeg), which requires elevated privileges and modifies the host system state.
Issues (3)
W007
HIGHInsecure credential handling detected in skill instructions.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata