Skills
skills/postplusai/postplus-skills/reference-decode/Gen Agent Trust Hub

reference-decode

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses yt-dlp to download video references from remote URLs specified in user-provided manifests. This behavior is consistent with the skill's primary purpose of decoding benchmark videos.
  • [COMMAND_EXECUTION]: The skill executes the ffmpeg binary for video generation and python3 -m yt_dlp for media retrieval. It also executes internal Node.js scripts (such as artifact ingestors) within its local workspace runtime. These operations are performed using standard subprocess methods.
  • [SAFE]: The skill manages a vendor-specific session token in the user's local configuration directory (e.g., ~/.config/postplus/config.json) to authenticate with the PostPlus Cloud API. It also implements SHA256-based integrity verification for execution approvals and restricts its local dashboard server to the loopback interface (127.0.0.1) to prevent external access.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 07:44 AM
Security Audit — agent-trust-hub — reference-decode