avatar-ambient-sfx

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/overlay_ambient.py executes ffmpeg and ffprobe to perform audio mixing, loudness normalization, and video stream copying. These operations are conducted using the subprocess.run method with argument lists, which is the recommended secure practice for calling external binaries.
  • [EXTERNAL_DOWNLOADS]: The skill relies on external scripts and configuration from a related skill (audio-theater) expected to be present at ~/.cursor/skills/audio-theater/scripts. It does not attempt to download code from remote or untrusted sources during execution.
  • [DATA_EXFILTRATION]: While the skill instructions mention the use of an ElevenLabs API key for sound generation (handled by the external audio-theater skill), the provided scripts do not access, store, or transmit any sensitive credentials or environment variables.
  • [INDIRECT_PROMPT_INJECTION]: The skill parses local JSON files (reel_manifest.json, narration.align.json) to extract timing data and alignment information. This data is used solely for determining numeric parameters for audio processing (such as fade start times and sidechain compression thresholds) and does not influence the agent's logic in a way that allows instruction overrides.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 01:40 AM