yuv-reel-covers
Warn
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
gen_cover.pyusessubprocess.runwithshell=Trueto executeffmpeg. It interpolates the user-provided--outargument directly into the shell command. This creates a command injection vulnerability where a malicious user or crafted input containing shell metacharacters (like&,;, or|) could execute arbitrary commands on the host system. - [EXTERNAL_DOWNLOADS]: The skill's instructions in
SKILL.mdand the implementation ingen_cover.pyutilizenpx --yes hyperframes@latest. This pattern downloads and executes the latest version of an external package from the NPM registry every time the command is run, which introduces a dependency on the availability and integrity of the remote package at runtime. - [REMOTE_CODE_EXECUTION]: The
cover-studio.htmlapplication (and its generatorbuild_app.py) includes functionality to dynamically import a JavaScript module for AI background removal fromcdn.jsdelivr.net. This results in the execution of remote code within the user's browser context during the cutout process. - [DATA_EXPOSURE]: The
build_app.pyscript is designed to read files from the localfonts/andassets/directories and embed their content as Base64 strings into the generated HTML file. While functional for this skill, this pattern demonstrates a capability to package local file content into portable web files.
Audit Metadata