Skills
skills/nateherkai/hyperframes-student-kit/make-a-video/Gen Agent Trust Hub

make-a-video

Pass

Audited by Gen Agent Trust Hub on Apr 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands using ffmpeg to extract specific video frames for quality assurance and npx to interact with the HyperFrames CLI tools for project initialization, linting, and rendering.
  • [EXTERNAL_DOWNLOADS]: The skill invokes npx, which is designed to download and execute packages from the npm registry if they are not already cached locally.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it transforms untrusted user input (scripts and outlines) into executable code (HTML and JavaScript) for video compositions.
  • Ingestion points: User input captured during the interview gates (Gates 1, 2, and 3) in SKILL.md.
  • Boundary markers: The workflow enforces a manual review gate where the agent must present a BRIEF.md and STORYBOARD.md to the user for explicit approval before building.
  • Capability inventory: File system writes for scaffolding and composition creation, shell command execution via ffmpeg and npx, and local network serving (all occurring via instructions in SKILL.md).
  • Sanitization: The skill lacks explicit logic to sanitize or escape user-provided text before it is interpolated into the generated composition files.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 19, 2026, 11:49 AM
Security Audit — agent-trust-hub — make-a-video