avatar-ambient-sfx
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/overlay_ambient.pyexecutesffmpegandffprobeto perform audio mixing, loudness normalization, and video stream copying. These operations are conducted using thesubprocess.runmethod with argument lists, which is the recommended secure practice for calling external binaries. - [EXTERNAL_DOWNLOADS]: The skill relies on external scripts and configuration from a related skill (
audio-theater) expected to be present at~/.cursor/skills/audio-theater/scripts. It does not attempt to download code from remote or untrusted sources during execution. - [DATA_EXFILTRATION]: While the skill instructions mention the use of an ElevenLabs API key for sound generation (handled by the external
audio-theaterskill), the provided scripts do not access, store, or transmit any sensitive credentials or environment variables. - [INDIRECT_PROMPT_INJECTION]: The skill parses local JSON files (
reel_manifest.json,narration.align.json) to extract timing data and alignment information. This data is used solely for determining numeric parameters for audio processing (such as fade start times and sidechain compression thresholds) and does not influence the agent's logic in a way that allows instruction overrides.
Audit Metadata