video-toolkit

Fail

Audited by Snyk on Apr 4, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.80). The prompt instructs creating and placing API tokens and cloud credentials (e.g., HF_TOKEN, R2_SECRET_ACCESS_KEY, Modal endpoint URLs) into commands and .env files — including an example that passes a token as a command-line argument — which requires the agent to accept and potentially emit secret values verbatim, posing exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The skill requires Modal cloud endpoint URLs (e.g., MODAL_*_ENDPOINT_URL=https://...modal.run) which are used at runtime via the --cloud modal flags and invoke remote model code/execution, so an external URL is required and executes remote code.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
HIGH
Analyzed
Apr 4, 2026, 11:00 PM
Issues
2
Security Audit — snyk — video-toolkit