media-use

Fail

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The SKILL.md file contains instructions to install the heygen CLI by downloading a script from https://static.heygen.ai/cli/install.sh and piping it directly to bash. This method bypasses integrity checks and executes third-party code with the user's privileges.
  • [COMMAND_EXECUTION]: Scripts such as probe.mjs and heygen-search.mjs invoke external binaries (ffprobe and heygen) using execFileSync. Although this implementation is resistant to shell injection due to the use of argument arrays, it requires the pre-installation of external software that operates outside the skill's immediate control.
  • [EXTERNAL_DOWNLOADS]: The freeze.mjs utility downloads media files from provider-supplied URLs. While it enforces a 256MB file size limit to mitigate disk exhaustion, it facilitates the transfer of external data into the local environment.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it incorporates untrusted metadata from the HeyGen catalog into the .media/index.md file. If the external provider's data is compromised, an attacker could include malicious instructions that the agent might interpret as authoritative when reading the inventory.
Recommendations
  • HIGH: Downloads and executes remote code from: https://static.heygen.ai/cli/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 27, 2026, 11:28 PM
Security Audit — agent-trust-hub — media-use