beat-sync-reel

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches audio and image data from external URLs using yt-dlp and curl. These network operations target well-known services including YouTube, Instagram, and TikTok, as well as product pages.
  • [COMMAND_EXECUTION]: The skill executes shell commands (ffmpeg, ffprobe, yt-dlp) and Python scripts (librosa, Pillow) to analyze media and generate video clips. These are standard operations for the skill's purpose.
  • [PROMPT_INJECTION]: The skill processes untrusted data from external URLs, representing an indirect prompt injection surface. Evidence chain: 1. Ingestion points: Product and audio URLs in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: Bash (ffmpeg, yt-dlp, curl), Write, and Read. 4. Sanitization: No explicit sanitization for external content interpolation is mentioned.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 06:17 AM
Security Audit — agent-trust-hub — beat-sync-reel