Skills
skills/minilozio/video-analyzer-skill/video-analyzer/Gen Agent Trust Hub

video-analyzer

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The Python script scripts/analyze_video.py contains a command injection vulnerability in the handle_transcript function. The lang parameter is accepted from input and interpolated directly into shell command strings executed via subprocess.run(shell=True) without sanitization or quoting. A crafted language string can be used to execute arbitrary shell commands on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill fetches pre-trained machine learning models from Hugging Face's official repository at runtime to enable local transcription.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted transcripts from external video platforms.
  • Ingestion points: Video transcripts extracted by yt-dlp or whisper-cli in scripts/analyze_video.py.
  • Boundary markers: Absent; no delimiters are used when the transcript is presented to the agent.
  • Capability inventory: The agent can execute shell commands via the analyze_video.py script and perform network operations via yt-dlp and whisper-cli.
  • Sanitization: No sanitization is performed on the transcript content before analysis.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 09:10 AM