producing-video

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on several shell commands to manage the video creation workflow, including environment checks and rendering.
  • Evidence: Executes npx hyperframes (doctor, init, lint, validate, render), ffmpeg for frame extraction, and ffprobe for file analysis.
  • [EXTERNAL_DOWNLOADS]: Fetches external resources required for the video style and typography.
  • Evidence: Downloads WOFF2 font files from cdn.jsdelivr.net and design configuration metadata from hyperframes.dev.
  • [PROMPT_INJECTION]: The skill ingests untrusted subtitle data which directly influences the agent's planning and the final video output.
  • Ingestion points: audio/narration.srt (processed by scripts/srt-cues.mjs and read by the agent).
  • Boundary markers: Absent; the agent is instructed to read the SRT to plan scenes and generate HTML content without delimiters or safety warnings.
  • Capability inventory: Execution of shell commands (npx, ffmpeg, node), file system modifications (mkdir, cp), and network operations (curl).
  • Sanitization: There is no validation or escaping logic to prevent malicious instructions embedded in the SRT files from affecting the agent's behavior.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:06 PM
Security Audit — agent-trust-hub — producing-video