The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes external CLI tools to process media. It uses python3 -m yt_dlp to download video content and ffprobe to determine video duration. It also invokes the postplus CLI for billing and credit confirmations during the analysis workflow.
[EXTERNAL_DOWNLOADS]: The skill downloads social media videos (TikTok, Reels) from external URLs to the local environment. These downloads are performed by yt-dlp based on source URLs provided in a manifest file.
[DATA_EXFILTRATION]: Local video files and metadata are uploaded to a hosted Gemini API service for analysis. This process involves transmitting session tokens and content to the PostPlus platform, which is consistent with the skill's stated purpose of providing cloud-based video insights.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface where untrusted source URLs from a manifest are interpolated into the Gemini prompt in scripts/run_video_analysis_batch.mjs. Ingestion points include the manifest-derived URLs; no boundary markers or sanitization are present to isolate the URL string from instructions. Capabilities include subprocess execution (yt-dlp, ffprobe), file system writes, and network operations via the PostPlus API. This finding is assessed as safe given the specific constraints of the prompt and the skill's utility.

video-analysis