media-use
Fail
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
SKILL.mdfile contains instructions to install theheygenCLI by downloading a script fromhttps://static.heygen.ai/cli/install.shand piping it directly tobash. This method bypasses integrity checks and executes third-party code with the user's privileges. - [COMMAND_EXECUTION]: Scripts such as
probe.mjsandheygen-search.mjsinvoke external binaries (ffprobeandheygen) usingexecFileSync. Although this implementation is resistant to shell injection due to the use of argument arrays, it requires the pre-installation of external software that operates outside the skill's immediate control. - [EXTERNAL_DOWNLOADS]: The
freeze.mjsutility downloads media files from provider-supplied URLs. While it enforces a 256MB file size limit to mitigate disk exhaustion, it facilitates the transfer of external data into the local environment. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it incorporates untrusted metadata from the HeyGen catalog into the
.media/index.mdfile. If the external provider's data is compromised, an attacker could include malicious instructions that the agent might interpret as authoritative when reading the inventory.
Recommendations
- HIGH: Downloads and executes remote code from: https://static.heygen.ai/cli/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata