tgravity-work-tech-canvas-video

Pass

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The core logic in scripts/tech_canvas_pipeline.py uses subprocess.run to execute system commands such as ffmpeg, ffprobe, and google-chrome. These executions are performed using list-based arguments, which is a security best practice that prevents shell command injection.
  • [EXTERNAL_DOWNLOADS]: The skill references standard external dependencies including the whisper Python package (for local transcription) and npx hyperframes (for HTML rendering). These are well-known tools used according to their intended functionality and are not fetched from untrusted sources.
  • [DATA_EXPOSURE]: The skill is designed for local-only operation within a user-defined workspace. It explicitly avoids using cloud-based ASR services to protect user privacy. Network activity is limited to local socket communication (127.0.0.1) used to control a local Chrome instance via the Chrome DevTools Protocol (CDP).
  • [DYNAMIC_EXECUTION]: The pipeline generates a local HTML file (hyperframes/index.html) containing CSS and JavaScript. This file is rendered by a headless browser to produce video frames. The script utilizes proper HTML escaping (via the html.escape module) when injecting user-supplied script text into these templates, mitigating risks of cross-site scripting (XSS) or prompt-driven injection during the rendering phase.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 27, 2026, 08:01 AM
Security Audit — agent-trust-hub — tgravity-work-tech-canvas-video