ce-demo-reel
Warn
Audited by Gen Agent Trust Hub on May 21, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: Captured visual media is uploaded to
catbox.moeandlitterbox.catbox.moeby default. These are anonymous, public file-hosting services. Any content uploaded is publicly accessible if the URL is known. This creates a risk of exposing sensitive internal UI components, source code, or environment details, despite the skill's instructions to avoid capturing credentials. - [COMMAND_EXECUTION]: The skill executes a bundled Python helper script (
scripts/capture-demo.py) which in turn invokes several local CLI tools, includingffmpeg,vhs,silicon, andagent-browser. This is necessary for the skill's media processing and project detection features. - [REMOTE_CODE_EXECUTION]: The skill dynamically generates
.tapefiles—scripts containing shell commands for the VHS recording tool—and then executes them locally. This pattern of generating and executing scripts based on the agent's interpretation of the workspace is a form of dynamic code execution. - [EXTERNAL_DOWNLOADS]: The skill's preflight check detects missing system dependencies (
ffmpeg,vhs,silicon) and instructs the user to download and install them via external package managers like Homebrew.
Audit Metadata