media-upload
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses environment variables for sensitive credentials, avoiding hardcoded secrets in the source code.
- [SAFE]: All network operations are directed at well-known and legitimate service endpoints for Vimeo and Bunny CDN.
- [COMMAND_EXECUTION]: The documentation references a local setup script for initial configuration, which is a standard procedure for this vendor's tools.
- [DATA_EXFILTRATION]: The skill's primary function is to transmit local media files to external hosting platforms, specifically targeting reputable services.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by accepting external file paths for upload operations.
- Ingestion points: filePath argument in all functions within lib/upload.cjs.
- Boundary markers: Absent in the library code.
- Capability inventory: File system read access (fs.readFileSync) and network egress (fetch) in lib/upload.cjs.
- Sanitization: The skill does not validate if the provided file path points to sensitive system files before reading and uploading.
Audit Metadata