Skills
skills/starchild-ai-agent/community-skills/@554/video/Gen Agent Trust Hub

@554/video

Warn

Audited by Gen Agent Trust Hub on May 3, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: Instructions in SKILL.md direct the agent to use exec(open(...).read()) to execute local Python scripts (generate_video.py, poll_status.py, publish_asset.py). This dynamic execution pattern is used to run the logic provided within the skill.
  • [COMMAND_EXECUTION]: The generate_video.py and poll_status.py scripts disable SSL certificate verification (verify=False) when making network requests to the local proxy and external APIs. This configuration bypasses standard security checks and increases the risk of man-in-the-middle attacks.
  • [EXTERNAL_DOWNLOADS]: The skill downloads generated video files from external CDN URLs (e.g., fal.media) to the local output/videos/ directory using the requests library.
  • [EXTERNAL_DOWNLOADS]: The publish_asset.py script includes functionality to download files from arbitrary user-provided URLs into the output/fal_assets/ directory.
  • [DATA_EXFILTRATION]: The skill implements a workflow where local files in output/fal_assets/ are exposed to a public URL via a Starchild preview (community.iamstarchild.com). While intended for model reference, this creates an exposure surface for any data moved into that directory.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 3, 2026, 10:48 AM
Security Audit — agent-trust-hub — @554/video