hyperframes
Fail
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded API keys found in the
.env.examplefile. Evidence includes a MiniMax API key starting with 'sk-api-u7DlDQ8T0h6GEGa4bCY7' and a Pexels API key 'W9iyYJPSUiwtPi8qwYXnlaqySGwWDG5Hj4ckB'. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via its WeChat article processing workflow. \n
- Ingestion points: Untrusted data enters the agent context through the WeChat article parser (
wechat-article-video.md), which fetches content frommp.weixin.qq.comvia an external API and converts it to markdown. \n - Boundary markers: There are no explicit boundary markers or instructions provided to the agent to ignore or delimit potentially malicious instructions embedded within the fetched markdown content. \n
- Capability inventory: The skill possesses significant capabilities, including executing subprocesses (
curl,ffprobe,npx hyperframes,python3), performing file system operations (writingindex.html, audio, and image files), and making network requests to TTS and image APIs. \n - Sanitization: There is no evidence of sanitization, validation, or filtering of the external article content before it is used to generate the video composition, titles, and narration text.
- [EXTERNAL_DOWNLOADS]: The skill fetches resources and code from several external services to fulfill its video production tasks. It downloads the GSAP animation library from jsDelivr's CDN, searches for and retrieves images from the Pexels API, fetches processed WeChat article content from a Hugging Face Space, and generates audio assets via the MiniMax TTS API.
- [COMMAND_EXECUTION]: The workflow relies on the execution of various system commands and scripts. It uses the
npx hyperframesCLI for project linting, validation, and rendering; employsffprobeto determine audio file durations; and runs Python scripts to handle the TTS generation and timeline calculation logic.
Recommendations
- AI detected serious security threats
Audit Metadata