promo-video
Fail
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script 'scripts/generate_voiceover.py' downloads audio data from the ElevenLabs API using urllib.request.urlopen. While scanners may flag this download-then-process pattern, the data is verified as audio and processed via ffprobe for duration, which is a standard media workflow.
- [COMMAND_EXECUTION]: The skill performs shell operations including npm install, ffmpeg for media mixing, and npx for project initialization and preview. These commands are necessary for the skill's documented functionality.
- [EXTERNAL_DOWNLOADS]: The skill fetches royalty-free audio tracks from well-known media providers such as Pixabay and Bensound using curl. These assets are used as background music and do not contain executable code.
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by reading local project metadata, git history, and source code to generate video context. This creates a minor attack surface common in skills that process untrusted project data without explicit boundary markers.
Recommendations
- HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata