happy-video-gen

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow (SKILL.md Step 3 "submit a job, poll until the provider finishes, then downloads the MP4 / WebM") and the provider implementations (scripts/providers/*.ts, e.g., ark.ts, fal.ts, google.ts) explicitly fetch and follow URLs and JSON returned by third‑party video provider APIs (response_url/video_url/status_url), meaning it ingests untrusted third‑party responses and uses their content (including URLs and status payloads) to decide polling, resume, and download actions.