byted-util-video-editor
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/video_editor.pycontains a command injection vulnerability in theburn_subtitles_to_videofunction. - The function includes a fallback mechanism that uses
subprocess.run()withshell=Trueon a command string constructed using f-strings. - This command string directly interpolates variables like
video_file,sub_name, andoutput_file, which are derived from user-provided arguments. - An attacker could provide a maliciously crafted filename containing shell metacharacters (e.g.,
;,&,|, or$()) to execute arbitrary commands on the host system with the privileges of the agent. - For example, an output filename such as
"; touch pwned; #.mp4"would cause the shell to execute thetouch pwnedcommand.
Recommendations
- AI detected serious security threats
Audit Metadata