byted-util-video-editor

Fail

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/video_editor.py contains a command injection vulnerability in the burn_subtitles_to_video function.
  • The function includes a fallback mechanism that uses subprocess.run() with shell=True on a command string constructed using f-strings.
  • This command string directly interpolates variables like video_file, sub_name, and output_file, which are derived from user-provided arguments.
  • An attacker could provide a maliciously crafted filename containing shell metacharacters (e.g., ;, &, |, or $()) to execute arbitrary commands on the host system with the privileges of the agent.
  • For example, an output filename such as "; touch pwned; #.mp4" would cause the shell to execute the touch pwned command.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 18, 2026, 06:19 AM
Security Audit — agent-trust-hub — byted-util-video-editor