use-screenkite-advanced-b-roll

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to ask the user for ELEVEN_LABS_API_KEY if missing and write it into the project .env as ELEVEN_LABS_API_KEY=, which requires the LLM to receive and output the secret value verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's mandatory Phase 3 "Pack and proofread" step requires using WebSearch to verify and correct product/proper names from the transcript (writes corrections to /takes_packed_proofread.md), so the agent will fetch and interpret open/public web content whose findings directly change generated visuals and downstream actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's Hyperframes composition boilerplate requires loading GSAP from the CDN at render time—https://cdn.jsdelivr.net/npm/gsap@3.14.2/dist/gsap.min.js—which will be fetched and executed by the renderer (headless Chrome) and is a required runtime dependency for the compositions.