douyin-video-forge
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
subprocess.runwithin thescripts/kling_api.pyfile to executeffprobeandffmpeg. These commands are used to perform legitimate media operations, such as extracting the final frame of a video to ensure visual continuity between AI-generated segments and checking video durations for accurate processing. - [EXTERNAL_DOWNLOADS]: The skill performs external network requests to download video content from Douyin via
yt-dlpand communicates with the Kling AI API endpoint (api.klingai.com) using thehttpxlibrary. These operations are required for its primary function of gathering trending data and automating video generation. - [PROMPT_INJECTION]: The skill ingests untrusted data from the web, specifically Douyin video titles and user comments, to perform data analysis and trend matching. While this represents a surface for indirect prompt injection (Category 8), the risk is mitigated as the ingested data is used for high-level analysis and script generation by the LLM rather than being used to dynamically construct shell commands or executable code.
Audit Metadata