generate-youtube-thumbnail

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill requires and fetches arbitrary public reference image URLs (see SKILL.md "Reference images must be PUBLIC URLs" and scripts/generate-batch.sh which verifies and embeds COMMON_REF_URLS into input.image_input), and those untrusted user-provided resources are read and used to compose prompts and generation decisions, so third-party content can materially influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The batch script requires and validates public reference image URLs (e.g., "https://your-host.example.com/face/headshot.jpg" from the COMMON_REF_URLS array) which are fetched at runtime and injected into the model's input (input.image_input) so remote content directly controls generation outputs.