reel-discovery
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: The skill implements secure credential management. It detects and uses API keys (YouTube and Apify) from environment variables or a git-ignored
config.jsonfile. A provided setup script (setup_key.py) facilitates this process and masks keys when displaying them, preventing exposure. - [COMMAND_EXECUTION]: Utilizes
yt-dlpthroughsubprocess.runto extract metadata and download video content. These calls are implemented using argument lists rather than shell strings and do not useshell=True, which protects against shell injection attacks. - [EXTERNAL_DOWNLOADS]: Fetches data from well-known technology services and official APIs, including Google (YouTube Data API v3), TikWM (TikTok API proxy), and Apify (social media scrapers). All connections are made over HTTPS.
- [DATA_EXPOSURE]: Includes a synchronization script (
sync_global.sh) to maintain consistency between project-local and global skill folders. The script is configured with explicit exclusions for sensitive configuration files (config.json), ensuring secrets remain local to their environment.
Audit Metadata