Skills
skills/lingkaix/smartworkers/fal-veo3-image-to-video/Gen Agent Trust Hub

fal-veo3-image-to-video

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The scripts/generate.mjs script reads local files via the --image and --param @path arguments. It does not perform validation on file types or restrict access to specific directories, allowing it to read any file accessible to the process and transmit its contents to the external fal.ai API.
  • [COMMAND_EXECUTION]: The skill executes a local Node.js script to manage the video generation workflow, including file system access and network operations.
  • [EXTERNAL_DOWNLOADS]: The script downloads media files from external URLs returned by the fal.ai API and saves them to the local filesystem.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by processing untrusted text prompts and external image URLs.
  • Ingestion points: Untrusted data enters via the --prompt and --image arguments in scripts/generate.mjs.
  • Boundary markers: The script lacks delimiters or instructions to prevent the processing of instructions embedded in the input.
  • Capability inventory: The skill can read arbitrary local files, perform network requests to any domain, and write to the local filesystem.
  • Sanitization: No validation or sanitization is performed on the prompt or external content.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 10:03 AM