video-gen

Fail

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill directs users to install a CLI tool by piping a script from a remote URL directly to the shell: curl -fsSL https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh | sh. This pattern is highly insecure as it allows for the execution of unverified remote code with user privileges.
  • [COMMAND_EXECUTION]: The skill uses npx hyperframes to run a Node.js package and references other external tools for video and image processing.
  • [PROMPT_INJECTION]: The skill acts as a router for user-provided prompts to various generation engines, creating a surface for indirect prompt injection.
  • Ingestion points: User requests for image and video generation (e.g., "make a video", "generate an image") are processed by the skill in SKILL.md.
  • Boundary markers: None identified to separate user input from system instructions.
  • Capability inventory: Use of Higgsfield CLI, npx hyperframes, and Descript MCP calls to external services.
  • Sanitization: No evidence of input validation or escaping before passing user content to external engines.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/higgsfield-ai/cli/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 4, 2026, 10:57 PM
Security Audit — agent-trust-hub — video-gen