reel-discovery

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [SAFE]: The skill implements secure credential management. It detects and uses API keys (YouTube and Apify) from environment variables or a git-ignored config.json file. A provided setup script (setup_key.py) facilitates this process and masks keys when displaying them, preventing exposure.
  • [COMMAND_EXECUTION]: Utilizes yt-dlp through subprocess.run to extract metadata and download video content. These calls are implemented using argument lists rather than shell strings and do not use shell=True, which protects against shell injection attacks.
  • [EXTERNAL_DOWNLOADS]: Fetches data from well-known technology services and official APIs, including Google (YouTube Data API v3), TikWM (TikTok API proxy), and Apify (social media scrapers). All connections are made over HTTPS.
  • [DATA_EXPOSURE]: Includes a synchronization script (sync_global.sh) to maintain consistency between project-local and global skill folders. The script is configured with explicit exclusions for sensitive configuration files (config.json), ensuring secrets remain local to their environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 01:40 AM