wjs-segmenting-video
Pass
Audited by Gen Agent Trust Hub on May 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface in scripts/make_cover.py. The title extracted from video transcripts is interpolated into instructions for an image generator without specific boundary markers or sanitization. Ingestion points: SRT transcript files. Boundary markers: None identified in the template. Capability inventory: Execution of ffmpeg, ffprobe, and node via subprocess. Sanitization: The slug field is validated by regex, but the title field is not sanitized.
- [COMMAND_EXECUTION]: Several scripts execute ffmpeg, ffprobe, and a local Node.js utility using subprocess.run with argument lists. This approach is used for segmenting video, burning subtitles, and prepending intro cards. It is implemented safely and prevents common shell injection vulnerabilities.
- [EXTERNAL_DOWNLOADS]: The skill documentation recommends installing standard media processing libraries such as mediapipe, opencv-python, and numpy. These are reputable, well-known packages from standard registries.
Audit Metadata