Skills
skills/calesthio/openmontage/website-to-hyperframes/Gen Agent Trust Hub

website-to-hyperframes

Pass

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches necessary development resources including the GSAP animation library and the dotLottie player from public CDNs (jsDelivr, Google Fonts) for use in the generated video compositions.
  • [COMMAND_EXECUTION]: Employs the npx package runner to execute the HyperFrames CLI for capturing website data, generating text-to-speech narration, transcribing audio, and validating project files.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes content from arbitrary external websites. An attacker could place malicious instructions on a website to manipulate the agent's summarization or script-writing process.
  • Ingestion points: Website content extracted during Step 1 (references/step-1-capture.md).
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used when reading extracted site text.
  • Capability inventory: Shell command execution (npx), file system writes, and generation/execution of JavaScript code.
  • Sanitization: No sanitization of captured site text before it is used for script and storyboard generation.
  • [REMOTE_CODE_EXECUTION]: The skill generates and executes dynamic JavaScript compositions in a headless browser environment during the validation step (npx hyperframes validate), which is a standard part of the video generation pipeline.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 21, 2026, 07:18 AM