Skills
skills/samuraigpt/generative-media-skills/muapi-animal-video-generator/Gen Agent Trust Hub

muapi-animal-video-generator

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The 'Notes for the Executing Agent' section provides a fallback instruction to use curl for API calls. This instruction directs the agent to substitute user-provided inputs directly into a shell command. Without proper sanitization or escaping by the agent, this creates a risk of command injection if a user provides malicious input containing shell metacharacters.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates user-controlled data into generation prompts without sufficient protection.
  • Ingestion points: User inputs for animal_type, location, clothing, and script are defined in SKILL.md and used in Phase A and Phase B.
  • Boundary markers: None. The inputs are placed directly into the natural language prompts.
  • Capability inventory: The skill uses the muapi CLI and shell-based curl commands for network operations.
  • Sanitization: No sanitization or validation steps are defined for the user inputs.
  • [DATA_EXFILTRATION]: The skill performs network requests to api.muapi.ai. While this aligns with the skill's purpose of using an external video generation service, it involves the transmission of user inputs and the MUAPI_API_KEY to an external domain.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 02:04 PM
Security Audit — agent-trust-hub — muapi-animal-video-generator