video-bg-replace

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses ffmpeg and ffprobe for video compositing and metadata extraction. All process executions are handled using list-based arguments with subprocess.run, which effectively prevents shell injection vulnerabilities.
  • [EXTERNAL_DOWNLOADS]: Fetches processed assets (alpha mattes and masked videos) from Replicate's infrastructure. These downloads are part of the core functionality and target a well-known service.
  • [DATA_EXFILTRATION]: Implements a local token discovery mechanism that searches for Replicate API keys in environment variables and specific configuration paths of related skills (e.g., ~/.cursor/skills/broll-generator/config.json). This behavior is limited to the local filesystem for user convenience within the platform context.
  • [COMMAND_EXECUTION]: Utilizes dynamic module loading (__import__) to lazily load the replicate dependency. This is a standard Python pattern used here to provide helpful installation instructions if the package is missing.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 01:40 AM