Skills
skills/heygen-com/hyperframes/pr-to-video/Gen Agent Trust Hub

pr-to-video

Pass

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses execFileSync to run the GitHub CLI (gh) for fetching Pull Request metadata and diffs. It also uses spawnSync to execute a local Node.js audio engine for narration and sound effects.
  • [EXTERNAL_DOWNLOADS]: The skill fetches contributor avatars directly from github.com and includes the GSAP animation library from the jsdelivr.net CDN. These are well-known and trusted services.
  • [PROMPT_INJECTION]: The skill ingests untrusted content from GitHub Pull Requests (titles, descriptions, and code diffs). This data is used to generate the video storyboard and script, creating an indirect prompt injection surface. The risk is minimized as the data is primarily used for generating narrative content within a structured video workflow.
  • [COMMAND_EXECUTION]: The orchestrator uses the npx command to run the hyperframes CLI for project initialization, asset management, and final video rendering.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 24, 2026, 02:45 AM
Security Audit — agent-trust-hub — pr-to-video