video-lyrics-subtitle
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/generate_srt.pyexecutesffprobeusingsubprocess.run()to determine audio duration. The command is invoked using an argument list rather than a shell string, which effectively mitigates the risk of shell injection. - [COMMAND_EXECUTION]: The shell script
scripts/burn_subtitles.shorchestrates the burning of subtitles into videos viaffmpeg. It employs proper variable quoting for file paths and implements a custom escaping mechanism for FFmpeg filter syntax to handle special characters in filenames safely. - [DATA_EXPOSURE]: The skill operates on user-provided media files and lyrics text. No unauthorized access to sensitive system files, environment variables, or external network exfiltration was detected.
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted input in the form of lyrics and subtitle files. However, these are processed as raw data by Python parsers and external binary tools (FFmpeg) rather than being interpreted as instructions by the AI agent, significantly limiting the attack surface.
Audit Metadata