Skills
skills/postplusai/postplus-skills/visual-hook/Gen Agent Trust Hub

visual-hook

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The script _postplus_shared/00-core/shared-runtime/scripts/download_videos_from_manifest_with_ytdlp.mjs executes external system commands using the spawn method. Evidence: It invokes python3 -m yt_dlp to download media files for analysis.
  • [EXTERNAL_DOWNLOADS]: The skill contains logic for retrieving remote content from external servers. Evidence: The download_videos_from_manifest_with_ytdlp.mjs script fetches video data from URLs provided in manifest files. Additionally, _postplus_shared/00-core/shared-runtime/scripts/lib/network_runtime.mjs provides utility functions for downloading files and making HTTP requests.
  • [CREDENTIALS_UNSAFE]: The skill accesses authentication tokens stored in the local file system to communicate with vendor services. Evidence: _postplus_shared/00-core/shared-runtime/scripts/lib/postplus_cli_config.mjs reads the cliSessionToken from the CLI configuration directory (e.g., ~/.config/postplus/config.json). This token is used to authenticate requests to the vendor's cloud API.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 07:44 AM
Security Audit — agent-trust-hub — visual-hook