video-to-splat

Fail

Audited by Gen Agent Trust Hub on Jul 8, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The SKILL.md file instructs users to install the uv package manager using curl -LsSf https://astral.sh/uv/install.sh | sh, which is a risky pattern that executes a remote script directly in the shell.
  • [EXTERNAL_DOWNLOADS]: The scripts/setup_env.sh script downloads a prebuilt macOS binary (brush_app) from github.com/ArthurBrussee/brush and a large vocabulary tree file from the official COLMAP GitHub releases. While these are required for the skill's functionality, they involve executing third-party binaries not managed by standard package registries.
  • [COMMAND_EXECUTION]: The skill makes extensive use of subprocess and shell execution to drive its pipeline. Specifically, extract_frames.py calls ffmpeg/ffprobe, run_colmap.py uses pycolmap, and train_splat.sh executes the downloaded brush_app binary. Additionally, preview.sh dynamically generates and executes a Python script via stdin to process metadata.
  • [EXTERNAL_DOWNLOADS]: The setup process uses npm install and uv pip install to fetch dependencies for the viewer and the SfM pipeline, which introduces standard supply-chain risks.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 8, 2026, 03:28 AM
Security Audit — agent-trust-hub — video-to-splat