byted-byteplus-vod-video-enhancement
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill uses environment variables (BYTEPLUS_ACCESSKEY, BYTEPLUS_SECRETKEY) for authentication, which is a recommended practice. It does not hardcode any sensitive credentials.
- [COMMAND_EXECUTION]: The skill implements a path validation check in scripts/upload.py (_validate_local_path), which restricts local file uploads to specific safe directories like the workspace, userdata, and /tmp. This prevents the agent from being used to exfiltrate arbitrary files from the host system.
- [EXTERNAL_DOWNLOADS]: The skill downloads and uploads media to BytePlus infrastructure (vod.byteplusapi.com, vod.volcengineapi.com) and TOS storage buckets. These are official vendor endpoints for the services provided.
- [INDIRECT_PROMPT_INJECTION]: The skill processes external URLs and file names. While this presents an attack surface, the risk is minimized by standard input validation and the lack of high-privilege operations being triggered by the processed content.
Audit Metadata