tgravity-work-tech-canvas-video
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The core logic in
scripts/tech_canvas_pipeline.pyusessubprocess.runto execute system commands such asffmpeg,ffprobe, andgoogle-chrome. These executions are performed using list-based arguments, which is a security best practice that prevents shell command injection. - [EXTERNAL_DOWNLOADS]: The skill references standard external dependencies including the
whisperPython package (for local transcription) andnpx hyperframes(for HTML rendering). These are well-known tools used according to their intended functionality and are not fetched from untrusted sources. - [DATA_EXPOSURE]: The skill is designed for local-only operation within a user-defined workspace. It explicitly avoids using cloud-based ASR services to protect user privacy. Network activity is limited to local socket communication (
127.0.0.1) used to control a local Chrome instance via the Chrome DevTools Protocol (CDP). - [DYNAMIC_EXECUTION]: The pipeline generates a local HTML file (
hyperframes/index.html) containing CSS and JavaScript. This file is rendered by a headless browser to produce video frames. The script utilizes proper HTML escaping (via thehtml.escapemodule) when injecting user-supplied script text into these templates, mitigating risks of cross-site scripting (XSS) or prompt-driven injection during the rendering phase.
Audit Metadata