create-chatgpt-video-ad

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes ffmpeg through child_process.execSync in the recording scripts and via subprocess.run within a Python block in the stitch.sh script. These operations are essential for its primary purpose of rendering video and layering audio cues. The command arguments are constructed using controlled local paths and validated inputs from configuration files.
  • [EXTERNAL_DOWNLOADS]: The skill utilizes the playwright Node.js library and the ffmpeg system utility. Both are well-known, industry-standard tools for browser automation and media processing. The skill does not perform any unverified remote code downloads.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes user-supplied content (a "brief") to generate a conversation thread. This content is then rendered into the mockup. While this presents a surface for indirect prompt injection, it is the core functionality of the skill. The conversion of user input into structured JSON (thread.json) by the agent serves as a validation step before rendering.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 06:17 AM
Security Audit — agent-trust-hub — create-chatgpt-video-ad