video-toolkit
Fail
Audited by Snyk on Apr 4, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The prompt instructs creating and placing API tokens and cloud credentials (e.g., HF_TOKEN, R2_SECRET_ACCESS_KEY, Modal endpoint URLs) into commands and .env files — including an example that passes a token as a command-line argument — which requires the agent to accept and potentially emit secret values verbatim, posing exfiltration risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill requires Modal cloud endpoint URLs (e.g., MODAL_*_ENDPOINT_URL=https://...modal.run) which are used at runtime via the --cloud modal flags and invoke remote model code/execution, so an external URL is required and executes remote code.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata