vss-ask-video

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands including curl, jq, and python3 to perform service health checks, query the VSS agent, and process the resulting data. These commands are used appropriately within the context of interacting with a development or production video analytics stack.
  • [PROMPT_INJECTION]: The skill contains a surface for indirect prompt injection by interpolating user-provided queries into the input_message sent to the VSS agent's /generate endpoint.
  • Ingestion points: User input is embedded directly into the prompt template in SKILL.md.
  • Boundary markers: No explicit delimiters are used to wrap the user-supplied text.
  • Capability inventory: The skill has access to shell commands (curl, python3) for tool operations.
  • Sanitization: The skill processes the agent's output using a Python one-liner to strip internal metadata tags, though it does not sanitize the initial user-provided input before submission to the agent.
  • [DATA_EXFILTRATION]: The skill provides instructions for uploading local files to a VST storage service via curl -X PUT. This network operation is part of the intended workflow for managing video data and utilizes configuration provided via environment variables such as ${HOST_IP}.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 04:39 PM
Security Audit — agent-trust-hub — vss-ask-video