meitu-video-dance

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs configuring AK/SK via commands like meitu config set-ak --value "..." and tells the agent to guide users to set credentials when missing, which encourages passing or echoing secret values verbatim in CLI commands (an exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Execute step requires accepting arbitrary image_url and video_url inputs (skilled described in SKILL.md "Execute → 1. 收集与验证输入" and the input table showing "URL or local path"), so it fetches and interprets untrusted third-party web content (reference videos/images) that can materially change prompts and subsequent tool actions.