video-to-splat
Fail
Audited by Gen Agent Trust Hub on Jul 8, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
SKILL.mdfile instructs users to install theuvpackage manager usingcurl -LsSf https://astral.sh/uv/install.sh | sh, which is a risky pattern that executes a remote script directly in the shell. - [EXTERNAL_DOWNLOADS]: The
scripts/setup_env.shscript downloads a prebuilt macOS binary (brush_app) fromgithub.com/ArthurBrussee/brushand a large vocabulary tree file from the official COLMAP GitHub releases. While these are required for the skill's functionality, they involve executing third-party binaries not managed by standard package registries. - [COMMAND_EXECUTION]: The skill makes extensive use of
subprocessand shell execution to drive its pipeline. Specifically,extract_frames.pycallsffmpeg/ffprobe,run_colmap.pyusespycolmap, andtrain_splat.shexecutes the downloadedbrush_appbinary. Additionally,preview.shdynamically generates and executes a Python script via stdin to process metadata. - [EXTERNAL_DOWNLOADS]: The setup process uses
npm installanduv pip installto fetch dependencies for the viewer and the SfM pipeline, which introduces standard supply-chain risks.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata