video-polish
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads a pre-trained Whisper model from Hugging Face's official repository. Evidence:
curl -L -o /tmp/ggml-base.en.bin "https://huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-base.en.bin"found in SKILL.md. - [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute various CLI tools for video processing, transcription, and image manipulation. Evidence: Use of
npx remotion,whisper-cli,ffmpeg, andpython(Pillow) across several steps in SKILL.md. - [PROMPT_INJECTION]: The skill processes untrusted data from audio transcripts to determine camera movements, creating a surface for indirect prompt injection. * Ingestion points: Reads transcript output from
whisper-cligenerated from user-provided video files (SKILL.md, Step 2). * Boundary markers: Absent. The agent is instructed to look for specific semantic cues in the transcript without explicit delimiters. * Capability inventory: High-privilege CLI tool access via Bash (ffmpeg, remotion) which could be misused if malicious instructions are embedded in the audio. * Sanitization: Absent. The skill instructions do not specify validation or filtering of the transcript text before processing logic occurs.
Audit Metadata