lightx2v-ai-video-generation
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the user to download and execute an installation script from the vendor's official GitHub repository (https://raw.githubusercontent.com/ModelTC/lightx2v-studio-cli/main/install.sh) using a piped-to-shell pattern. This is the intended mechanism for setting up the required CLI environment.
- [COMMAND_EXECUTION]: The skill utilizes the lightx2v command-line tool for authentication, model listing, and task execution. These operations are restricted to the allowed-tools configuration in the skill's metadata.
- [EXTERNAL_DOWNLOADS]: The skill facilitates downloading the CLI installation script and generated media files from the LightX2V platform.
- [PROMPT_INJECTION]: The skill processes untrusted external data in the form of user-provided text prompts and local media files (images, audio, video) which are passed to the generation models. 1. Ingestion points: CLI arguments such as --prompt, --input, --image, --video, and --audio in SKILL.md. 2. Boundary markers: None identified; the skill directly interpolates user input into tool commands. 3. Capability inventory: The lightx2v tool can perform network operations (API submission/polling) and local file system writes (output downloading). 4. Sanitization: No explicit sanitization or validation of input content is described in the skill instructions.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/ModelTC/lightx2v-studio-cli/main/install.sh - DO NOT USE without thorough review
Audit Metadata