video-polish

Pass

Audited by Gen Agent Trust Hub on Jul 2, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads a pre-trained Whisper model from Hugging Face's official repository. Evidence: curl -L -o /tmp/ggml-base.en.bin "https://huggingface.co/ggerganov/whisper.cpp/resolve/main/ggml-base.en.bin" found in SKILL.md.
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute various CLI tools for video processing, transcription, and image manipulation. Evidence: Use of npx remotion, whisper-cli, ffmpeg, and python (Pillow) across several steps in SKILL.md.
  • [PROMPT_INJECTION]: The skill processes untrusted data from audio transcripts to determine camera movements, creating a surface for indirect prompt injection. * Ingestion points: Reads transcript output from whisper-cli generated from user-provided video files (SKILL.md, Step 2). * Boundary markers: Absent. The agent is instructed to look for specific semantic cues in the transcript without explicit delimiters. * Capability inventory: High-privilege CLI tool access via Bash (ffmpeg, remotion) which could be misused if malicious instructions are embedded in the audio. * Sanitization: Absent. The skill instructions do not specify validation or filtering of the transcript text before processing logic occurs.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 2, 2026, 06:17 AM
Security Audit — agent-trust-hub — video-polish