heygen-video

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public web content and user-provided URLs (see references/asset-routing.md: "Use web_fetch to retrieve publicly accessible content" and "Public URL to web page (HTML) → A: Fetch and contextualize only"), and those fetched, untrusted third‑party pages are analyzed and baked into prompts/scripts that directly influence generation decisions, so this clearly allows indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly performs web_fetch of user-supplied public URLs (e.g., arbitrary https://... URLs provided as assets per references/asset-routing.md) and then extracts and injects that fetched content into the generated script/prompt at runtime, so external webpages can directly control prompt content.