broll-generator

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses ffmpeg and ffprobe to normalize video durations and extract metadata. Command arguments such as clip duration are explicitly cast to numeric types (floats), and filenames are generated via a slugification function that strips special characters, preventing shell command injection.
  • [EXTERNAL_DOWNLOADS]: Video clips generated by the prunaai/p-video model are downloaded from Replicate, a well-known AI service provider. The download operations are part of the core functionality and target expected service domains.
  • [DATA_EXFILTRATION]: To provide a better user experience, the skill implements a credential discovery mechanism that reads Replicate API tokens from the configuration files of sibling skills within the ~/.cursor/skills/ directory. This cross-skill access is limited to specific JSON configuration files within the agent's own ecosystem and is used for shared credential management.
  • [PROMPT_INJECTION]: User-provided scene descriptions are wrapped in quality-focused prompts before being sent to the remote video generation model. While this involves interpolating external input into an AI prompt, the impact is restricted to the visual output of the generated video file.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 01:40 AM