oma-video

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes ffmpeg and ffprobe as subprocesses in resources/mpt/driver.py and resources/playwright/record.mjs to synthesize test patterns and mux video recordings. These calls use structured arguments and are necessary for the skill's media processing functionality.
  • [EXTERNAL_DOWNLOADS]: As documented in resources/remotion/public/fonts/README.md, the oma video doctor utility fetches the Pretendard font from its official GitHub repository to ensure cross-platform render consistency. This is a neutral dependency fetch from a well-known service.
  • [PROMPT_INJECTION]: The demo mode processes user-supplied URLs for browser recording, which serves as an ingestion point for potentially untrusted content. Ingestion points: Untrusted URLs enter via the --url argument in the oma video generate CLI. Boundary markers: The record.mjs driver implements an interactive human-in-the-loop requirement where a user must manually drive the flow and stop the recording. Capability inventory: The skill can execute ffmpeg subprocesses and write to the local file system (run directories). Sanitization: The mask() function in resources/playwright/record.mjs redacts query parameters and potential secrets from URLs before they are logged or stored in manifests.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:19 PM
Security Audit — agent-trust-hub — oma-video