Skills
skills/heygen-com/hyperframes/music-to-video/Gen Agent Trust Hub

music-to-video

Warn

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill orchestrates video project initialization and rendering through multiple shell commands and CLI tool invocations.
  • Evidence: SKILL.md includes commands for npx hyperframes init, npx hyperframes render, and execution of local node scripts like stage-assets.mjs.
  • [COMMAND_EXECUTION]: The audio analysis script uses a subprocess to invoke ffmpeg for audio transcoding and processing.
  • Evidence: scripts/analyze-beatgrid.py executes subprocess.run(["ffmpeg", ...]) to convert audio to mono float32 wav files.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of several Python packages at runtime to support its audio analysis functionality.
  • Evidence: SKILL.md instructs the user to run python3 -m pip install librosa numpy soundfile.
  • [EXTERNAL_DOWNLOADS]: Resources such as JavaScript libraries and fonts are loaded from public CDNs in generated index files and templates.
  • Evidence: scripts/assemble-index.mjs loads GSAP from cdn.jsdelivr.net, and references/templates/held-message-living-field/index.html loads Three.js and Google Fonts.
  • [EXTERNAL_DOWNLOADS]: A vendored version of the GSAP library within the skill contains deceptive metadata, including a non-existent version number and a future copyright date, which could indicate unofficial modifications.
  • Evidence: references/motion-primitives/assets/gsap.min.js contains a header claiming GSAP 3.15.0 and Copyright 2026, whereas the current official version is 3.12.x.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 24, 2026, 03:53 PM
Security Audit — agent-trust-hub — music-to-video