animated-video
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Loads the Popmotion animation library from unpkg.com, a well-known and standard service for delivering NPM packages.
- [COMMAND_EXECUTION]: Utilizes Bash commands (cp, mkdir, open) to manage project directories and assets within the artifacts folder.
- [DATA_EXPOSURE]: Accesses project-specific and global design token configurations located at .claude/design-tokens.json and ~/.claude/design-systems/. These paths are specific to the agent's design environment and are used to ensure brand consistency in the generated animations.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest data from various external sources such as Figma, GitHub, and PRD attachments. This introduces a potential surface for indirect prompt injection if the external data contains malicious instructions, though no exploitable capability chain was identified.
Audit Metadata