heygen-avatar
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes setup instructions that direct the user to install the HeyGen CLI by downloading and executing a script from the vendor's official domain: 'curl -fsSL https://static.heygen.ai/cli/install.sh | bash'. This remote code execution pattern is part of the vendor's documented installation procedure.
- [COMMAND_EXECUTION]: The skill relies on the execution of 'heygen' CLI commands (e.g., 'heygen avatar create', 'heygen voice list') and standard shell utilities (e.g., 'ln -sf' for symlink management) to perform its core tasks. These commands are used as intended for service interaction and file management within the workspace.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting data from workspace files like 'SOUL.md' and 'IDENTITY.md' and incorporating it into prompts for the HeyGen API. 1. Ingestion points: Identity details are extracted from 'SOUL.md' and 'IDENTITY.md' to define avatar appearance and voice. 2. Boundary markers: No specific delimiters or 'ignore' instructions are used to encapsulate the content read from these files. 3. Capability inventory: The skill has the capability to execute shell commands and write files to the workspace. 4. Sanitization: No explicit sanitization or validation of the ingested file content is performed before it is used in API requests.
Recommendations
- HIGH: Downloads and executes remote code from: https://static.heygen.ai/cli/install.sh - DO NOT USE without thorough review
Audit Metadata