avatar-reel-composer

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the subprocess module to orchestrate video processing tasks. It executes standard system utilities such as ffmpeg and ffprobe for media manipulation, and uses sys.executable to run sibling Python scripts (e.g., generate_speech.py, generate_video.py) within the same environment. This behavior is essential for its function as a multi-stage orchestrator.
  • [CREDENTIALS_UNSAFE]: The skill implements a robust token resolution mechanism in scripts/_arc_common.py. It looks for the REPLICATE_API_TOKEN in environment variables and local configuration files. It also implements a 'shared configuration' pattern, where it can inherit a token from sibling skills (e.g., voice-clone, broll-generator) installed in the same project root or home directory. This is consistent with an integrated suite of development tools from the same vendor.
  • [EXTERNAL_DOWNLOADS]: The skill automates the acquisition of media assets. create_avatar.py coordinates the downloading of video content from public social media profiles (via the instagram-videos skill). Additionally, it interacts with official APIs for Replicate and Stability AI via their standard SDKs to generate audio, music, and video content. All observed network operations are directed towards legitimate, well-known service providers.
  • [DYNAMIC_EXECUTION]: Static analysis flagged the use of __import__ and compile() in scripts/finish_reel.py. Manual review confirms these are used benignly to dynamically import the standard Python re library and compile a regular expression pattern for parsing music structure tags (_STRUCT_TAG_RE = __import__("re").compile(...)).
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 01:40 AM