beat-sync-video-editing
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing several internal shell scripts and the FFmpeg utility to perform video processing. This involves passing dynamically generated strings to the shell.
- [PROMPT_INJECTION]: There is a potential indirect prompt injection surface as the user's editing description is used to generate an 'EditPlan' via an LLM, which is subsequently used to construct FFmpeg filter chains. * Ingestion points: User prompt input in SKILL.md Step 1. * Boundary markers: None documented. * Capability inventory: Shell script execution and FFmpeg command-line operations. * Sanitization: The workflow includes a validation script (validate-plan.sh) to verify JSON structure before processing.
- [EXTERNAL_DOWNLOADS]: The skill uses curl to communicate with the Google Gemini API for media analysis and plan generation. * Evidence: SKILL.md references the use of curl and a GEMINI_API_KEY within the gemini-edit-plan.sh script.
Audit Metadata