videolink
Warn
Audited by Snyk on Apr 23, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests user-generated content from Videolink endpoints (e.g., GET https://api.govideolink.com/v1/videos/{id}/ai-context?waitForAnalysis=true and /videos/ai-context-query or /search/videos) and instructs the agent to read that AI-generated transcript/summary into its working context and use it to drive decisions (naming, duplicate detection, sharing, sampling frames, and feeding multimodal models), so untrusted third-party content can materially influence subsequent actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches its runtime instructions from the remote SKILL (e.g. https://api.govideolink.com/v1/skills/videolink/SKILL.md and the version check at https://api.govideolink.com/.well-known/videolink-skill.json), so content fetched at runtime can replace and directly control the agent's prompts/instructions.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata