Skills
skills/t0ugh/videoclaw/video-i2i/Gen Agent Trust Hub

video-i2i

Warn

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill documentation instructs the agent to use uvx videoclaw, which triggers the download of a package from an external registry (such as PyPI) at runtime.
  • [COMMAND_EXECUTION]: The instructions demonstrate executing shell commands using the videoclaw CLI to transform images. These commands manipulate local file paths for input and output.
  • [REMOTE_CODE_EXECUTION]: By using the uvx package runner to invoke videoclaw, the agent executes code fetched from a remote source. As videoclaw is not associated with a verified or trusted vendor, this presents a risk of executing unvetted code in the environment.
  • [PROMPT_INJECTION]: The skill uses a --prompt argument to pass instructions to the image transformation tool. This creates a surface for indirect prompt injection as there are no boundary markers or sanitization steps described to isolate user-supplied instructions from the agent's logic.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 12, 2026, 08:40 AM
Security Audit — agent-trust-hub — video-i2i