digital-twin

Pass

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.run to invoke system utilities like ffprobe for media duration checks and tesseract for captcha OCR. These calls use list-based arguments, which is a secure implementation that prevents shell injection.- [COMMAND_EXECUTION]: It invokes the nano-banana-pro skill's image generation script via a local subprocess to synthesize or stylize reference keyframes when requested by the user.- [EXTERNAL_DOWNLOADS]: The skill downloads generated audio and video assets from official ElevenLabs and fal.ai API endpoints. These are well-known services associated with the skill's primary purpose.- [CREDENTIALS_UNSAFE]: The logic includes the ability to retrieve API keys from neighboring skill configurations such as eleven-labs-skill and fal-video-skill. While this facilitates a unified workspace, it represents a pattern of cross-skill data access.- [DATA_EXFILTRATION]: User-provided audio samples and images are transmitted to external AI services (ElevenLabs, fal.ai) as required for the voice cloning and video synthesis pipeline. This is the intended primary purpose of the skill.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 5, 2026, 06:05 PM
Security Audit — agent-trust-hub — digital-twin