Skills
skills/postplusai/postplus-skills/video-request-architect/Gen Agent Trust Hub

video-request-architect

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocesses to manage and generate media files.\n
  • The script download_videos_from_manifest_with_ytdlp.mjs invokes python3 -m yt_dlp to download video content from provided manifests.\n
  • The workspace runtime in postplus_workspace_runtime.mjs utilizes ffmpeg for generating test video fixtures and uses the macOS open utility to allow users to view project files.\n- [EXTERNAL_DOWNLOADS]: The skill contains functionality to download external media and interact with cloud APIs.\n
  • Video assets are downloaded from remote sources via yt-dlp based on user-supplied manifests.\n
  • The network_runtime.mjs and postplus_cloud_client.mjs libraries facilitate communication with PostPlus Cloud APIs for authentication and media processing.\n- [PROMPT_INJECTION]: The skill processes structured data that could serve as an indirect prompt injection vector.\n
  • Ingestion points: The skill reads user-provided JSON files such as brief.json and manifest.json in build_video_request_architecture.mjs and download_videos_from_manifest_with_ytdlp.mjs.\n
  • Boundary markers: Instructions in SKILL.md advise making requests self-contained and avoiding references to prior segments.\n
  • Capability inventory: The skill has access to the local file system, network requests, and subprocess execution (ffmpeg, python3, open).\n
  • Sanitization: File operations are restricted to the project workspace through path resolution logic in postplus_workspace_runtime.mjs.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 12:46 PM
Security Audit — agent-trust-hub — video-request-architect