avatar-reel-composer
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
subprocessmodule to orchestrate video processing tasks. It executes standard system utilities such asffmpegandffprobefor media manipulation, and usessys.executableto run sibling Python scripts (e.g.,generate_speech.py,generate_video.py) within the same environment. This behavior is essential for its function as a multi-stage orchestrator. - [CREDENTIALS_UNSAFE]: The skill implements a robust token resolution mechanism in
scripts/_arc_common.py. It looks for theREPLICATE_API_TOKENin environment variables and local configuration files. It also implements a 'shared configuration' pattern, where it can inherit a token from sibling skills (e.g.,voice-clone,broll-generator) installed in the same project root or home directory. This is consistent with an integrated suite of development tools from the same vendor. - [EXTERNAL_DOWNLOADS]: The skill automates the acquisition of media assets.
create_avatar.pycoordinates the downloading of video content from public social media profiles (via theinstagram-videosskill). Additionally, it interacts with official APIs for Replicate and Stability AI via their standard SDKs to generate audio, music, and video content. All observed network operations are directed towards legitimate, well-known service providers. - [DYNAMIC_EXECUTION]: Static analysis flagged the use of
__import__andcompile()inscripts/finish_reel.py. Manual review confirms these are used benignly to dynamically import the standard Pythonrelibrary and compile a regular expression pattern for parsing music structure tags (_STRUCT_TAG_RE = __import__("re").compile(...)).
Audit Metadata