tgw-tech-canvas-video
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The core utility
scripts/tech_canvas_pipeline.pyautomates the production workflow by executing system commands such asffmpeg,ffprobe, andgoogle-chrome. These interactions are performed securely usingsubprocess.run()with list-based arguments, avoiding the risks associated with shell command interpretation. - [EXTERNAL_DOWNLOADS]: The skill integrates the
whisperlibrary for transcribing audio from user videos. This library may download pre-trained models from OpenAI's official and trusted infrastructure upon first use. No other external downloads or remote script executions were detected. - [DATA_EXFILTRATION]: The skill is designed for local-only operation. Communication with the automated browser is conducted via the Chrome DevTools Protocol (CDP) over a local loopback connection (127.0.0.1). Furthermore, the script includes logic to detect and prevent the inclusion of ASR API keys or sensitive markers in the generated HTML and project manifests.
- [PROMPT_INJECTION]: The skill ingests untrusted data from user-provided script files (e.g.,
input/script.md) for rendering. While this creates a surface for indirect injection, the skill effectively mitigates this risk. - Ingestion points: Project workspace files read by
scripts/tech_canvas_pipeline.py. - Boundary markers: Not explicitly present for the input scripts.
- Capability inventory: File system access and system command execution (
ffmpeg,chrome). - Sanitization: The script utilizes
html.escape()andjson.dumps()to sanitize all text before it is interpolated into the rendering templates, preventing XSS and injection attacks within the browser context.
Audit Metadata