promo-video
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill requires the agent to read and analyze untrusted game source files (like GameScene.js) to determine how to patch game logic and generate input sequences. This creates a surface where malicious code comments or identifiers in the source could influence the agent's script generation.
- Ingestion points: Analyzes local project files (e.g.,
GameScene.js) to find method names for collision and game-over logic. - Boundary markers: None. The skill does not instruct the agent to use delimiters or ignore embedded instructions when reading source code.
- Capability inventory: The skill generates a JavaScript execution file (
scripts/capture-promo.mjs) and executes shell commands includingnpx playwrightandffmpeg. - Sanitization: The skill lacks sanitization logic for the patterns extracted from the analyzed source code before including them in the generated script template.
- [DYNAMIC_EXECUTION]: The skill uses a template-based approach to generate a functional Node.js script (
scripts/capture-promo.mjs) at runtime, which is then executed to control the browser. - Evidence: The
SKILL.mdfile provides a 'Full Capture Script Template' and instructions for the subagent to adapt and write this file to the project directory before execution. - [COMMAND_EXECUTION]: The skill performs multiple shell command executions to facilitate video recording and post-processing.
- Evidence: The skill executes
npx playwright --version,ffmpeg -version, and a bundled shell scriptscripts/convert-highfps.shto perform video encoding and FPS adjustments.
Audit Metadata