youtube-thumbnail-analyzer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill asks the agent to check memory and prompt the user to "please paste your" YouTube API key and shows running the script with YT_API_KEY=API_KEY (a pattern that would require inserting the raw key into commands), so the LLM would receive and may need to output the secret verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches public, user-generated YouTube content (via the YouTube Data API and img.youtube.com) and Step 8 of SKILL.md requires the agent to read and interpret those downloaded thumbnails with the Read tool, which directly influences the generated analysis, recommendations, and next actions—exposing the agent to untrusted third-party content that could carry indirect prompt injections.