video-bg-replace
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
ffmpegandffprobefor video compositing and metadata extraction. All process executions are handled using list-based arguments withsubprocess.run, which effectively prevents shell injection vulnerabilities. - [EXTERNAL_DOWNLOADS]: Fetches processed assets (alpha mattes and masked videos) from Replicate's infrastructure. These downloads are part of the core functionality and target a well-known service.
- [DATA_EXFILTRATION]: Implements a local token discovery mechanism that searches for Replicate API keys in environment variables and specific configuration paths of related skills (e.g.,
~/.cursor/skills/broll-generator/config.json). This behavior is limited to the local filesystem for user convenience within the platform context. - [COMMAND_EXECUTION]: Utilizes dynamic module loading (
__import__) to lazily load thereplicatedependency. This is a standard Python pattern used here to provide helpful installation instructions if the package is missing.
Audit Metadata