wjs-converting-text-to-video
Pass
Audited by Gen Agent Trust Hub on May 30, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
ffmpegandffprobefor media processing, and thehyperframesCLI for video rendering. All subprocess calls use argument lists rather than shell strings, effectively mitigating command injection risks. - [EXTERNAL_DOWNLOADS]: The workflow interacts with external APIs including the Volcano (ByteDance) TTS API for audio generation and the YouTube Data API for video uploading. These interactions are documented and align with the skill's primary purpose.
- [EXTERNAL_DOWNLOADS]: The video composition template (index.html) references the GSAP animation library from the
jsdelivr.netCDN, which is a trusted and well-known service for front-end development. - [CREDENTIALS_UNSAFE]: The skill manages authentication tokens and API keys through a local
.envfile and standard configuration paths (~/.config/youtube/token.json). No secrets are hardcoded within the distributed scripts. - [INDIRECT_PROMPT_INJECTION]: The skill ingests article content to generate video scripts and metadata. While it processes untrusted data, the output is confined to a rendered media file, which significantly limits the potential for downstream exploitation.
- [PERSISTENCE_MECHANISMS]: A cron job is utilized for the automated YouTube upload batching process. This is a documented feature intended to manage YouTube's API quotas and does not exhibit malicious behavior.
Audit Metadata