recoup-lyric-video
Warn
Audited by Snyk on Jun 23, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.75). Runtime calls
POST $BASE/content/transcribewith user-suppliedSONG_URL(public audio URL) and ingests the returnedfullLyrics/segments[].textinto the LLM flow for lyric timing/spelling, making the transcribed text an outsider source.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill explicitly calls the runtime endpoint https://api.recoupable.com/api/content/templates (and the template-detail endpoint under https://api.recoupable.com/api/content/templates/{id}) to fetch "full recipe" objects that include prompts/motion/caption styles which are then injected into generation, meaning remote content directly controls the agent's prompts at runtime.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata