seedance-2-video-gen

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly asks the assistant to prompt for and accept an EvoLink API key if EVOLINK_API_KEY isn't set and includes usage examples (export EVOLINK_API_KEY=your_key_here), which encourages users to paste keys into the chat and could cause the model to handle or echo the secret verbatim rather than keeping it only in an environment, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts arbitrary public image/video/audio URLs (scripts/seedance-gen.sh, references/api-params.md, README/SKILL.md examples) and exposes an optional text-mode web_search (SKILL.md and api-params.md) so the service/agent will fetch and interpret untrusted third‑party web content and media as part of generation, which can materially influence tool behavior and outputs.