oma-video
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes
ffmpegandffprobeas subprocesses inresources/mpt/driver.pyandresources/playwright/record.mjsto synthesize test patterns and mux video recordings. These calls use structured arguments and are necessary for the skill's media processing functionality. - [EXTERNAL_DOWNLOADS]: As documented in
resources/remotion/public/fonts/README.md, theoma video doctorutility fetches the Pretendard font from its official GitHub repository to ensure cross-platform render consistency. This is a neutral dependency fetch from a well-known service. - [PROMPT_INJECTION]: The
demomode processes user-supplied URLs for browser recording, which serves as an ingestion point for potentially untrusted content. Ingestion points: Untrusted URLs enter via the--urlargument in theoma video generateCLI. Boundary markers: Therecord.mjsdriver implements an interactive human-in-the-loop requirement where a user must manually drive the flow and stop the recording. Capability inventory: The skill can executeffmpegsubprocesses and write to the local file system (run directories). Sanitization: Themask()function inresources/playwright/record.mjsredacts query parameters and potential secrets from URLs before they are logged or stored in manifests.
Audit Metadata