podcast-producer

Pass

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs extensive shell command execution using ffmpeg for audio manipulation (filtering, mixing, concatenation, mastering), curl for API interactions, and system utilities like jq and base64. It uses a temporary working directory (/tmp/podcast-XXXXXX) for intermediate files.
  • [EXTERNAL_DOWNLOADS]: Fetches royalty-free audio assets (music, sound effects, ambience) from well-known services including Pixabay, Freesound, and Mixkit. These downloads are required for the skill's stated purpose of high-quality production.
  • [DATA_EXFILTRATION]: Transmits user-provided script text to an external relay TTS API ($API_URL/api/data/tts/synthesize) to generate voice audio. This operation uses platform-provided Bearer tokens for authentication.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted script content that includes structural directives (e.g., [INTRO], [HOST]). The instructions include a specific safety guideline to use alphanumeric filenames only to mitigate potential command injection risks when processing these user-supplied markers in shell commands.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 16, 2026, 05:38 PM
Security Audit — agent-trust-hub — podcast-producer