The Agent Skills Directory

[SAFE]: The skill interacts exclusively with official HeyGen service domains (api.heygen.com, upload.heygen.com, and files.heygen.ai), which are treated as well-known technology service endpoints.\n- [SAFE]: Secret management instructions follow security best practices by utilizing the HEYGEN_API_KEY environment variable rather than hardcoding credentials or exposing them in configuration files.\n- [SAFE]: File system operations, such as reading local assets for upload and writing generated video files to a local directory, are clearly documented and essential to the skill's primary purpose as a video creation tool.\n- [SAFE]: All network operations are directed towards legitimate service endpoints. The functionality to upload assets from a URL includes protocol validation (HTTPS enforcement) and is a standard feature for cloud-based media processing.\n- [SAFE]: The skill has an attack surface for indirect prompt injection as it processes user-provided text to generate video content; however, this is inherent to the service's functionality and no evidence of unsafe interpolation or lack of sanitization in the skill's own logic was found.

create-video