podcast-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly fetches and ingests public YouTube content (Step A: running youtube-feed/scripts/get_updates.py to list channel updates; Step 1/Entry B: running youtube-transcript-cn/scripts/get_transcript.py on a YouTube URL) — both are untrusted, user-generated third-party content that the agent is required to read/interpret and whose contents directly drive downstream actions (content-digest processing and publishing), creating an indirect prompt-injection risk.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy credentials. The only string that looks like a real, usable secret is the Feishu parent node token shown as:
• TOSJwKzxTiFdiRk0aducHNBFntg

Why this is flagged:

• It is a literal value (not a placeholder) and appears random/high-entropy.
• It is labeled "父节点 Token" which implies it may be used to access or reference a Feishu wiki resource, making it potentially sensitive/usable.

Other items examined and ignored:

• Masked/truncated values like "https://my.feishu.cn/wiki/xxx", YouTube links with "xxx"/"xxxxx", and example command arguments (e.g., "YOUTUBE_URL") — these are placeholders/redactions.
• Local file paths (/Users/ugreen/...) — not secrets.
• Skill names, configuration labels, and simple example strings — documentation or low-entropy examples and thus not flagged.

No API keys, private key blocks, or other high-entropy secrets were found aside from the Feishu parent token above.