yuv-reel-covers

Warn

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script gen_cover.py uses subprocess.run with shell=True to execute ffmpeg. It interpolates the user-provided --out argument directly into the shell command. This creates a command injection vulnerability where a malicious user or crafted input containing shell metacharacters (like &, ;, or |) could execute arbitrary commands on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill's instructions in SKILL.md and the implementation in gen_cover.py utilize npx --yes hyperframes@latest. This pattern downloads and executes the latest version of an external package from the NPM registry every time the command is run, which introduces a dependency on the availability and integrity of the remote package at runtime.
  • [REMOTE_CODE_EXECUTION]: The cover-studio.html application (and its generator build_app.py) includes functionality to dynamically import a JavaScript module for AI background removal from cdn.jsdelivr.net. This results in the execution of remote code within the user's browser context during the cutout process.
  • [DATA_EXPOSURE]: The build_app.py script is designed to read files from the local fonts/ and assets/ directories and embed their content as Base64 strings into the generated HTML file. While functional for this skill, this pattern demonstrates a capability to package local file content into portable web files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 17, 2026, 07:42 AM
Security Audit — agent-trust-hub — yuv-reel-covers