website-to-framevideo
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes several CLI tools including
npx framevideo,node, andcurl. These are used for capturing site data, generating audio via TTS APIs, and validating the resulting project. These actions are transparent and align with the skill's stated purpose. - [EXTERNAL_DOWNLOADS]: During the capture phase, the skill downloads public assets (images, SVGs, fonts) from the user-provided URL. It also references well-known technology CDNs (e.g., jsDelivr) in generated HTML compositions to load animation libraries like GSAP and Three.js.
- [CREDENTIALS_UNSAFE]: The skill requires API keys for third-party services (Google Gemini, ElevenLabs, Chanjing). It follows security best practices by instructing the user to store these credentials in a
.envfile within the project directory rather than hardcoding them or requesting them in plain text. - [DATA_EXFILTRATION]: No malicious data exfiltration was detected. The skill sends content to legitimate AI and TTS providers as part of its core functionality (transcription and voice generation).
- [PROMPT_INJECTION]: The instructions focus entirely on the video creation workflow. There are no attempts to bypass safety filters or override the agent's core instructions.
- [REMOTE_CODE_EXECUTION]: The skill generates and executes local HTML and JavaScript files as part of the FrameVideo framework. This is the primary purpose of the skill and occurs within the user's local development environment.
Audit Metadata