Skills
skills/tfcbot/shortform-distribution-skills/sfd-video-director/Gen Agent Trust Hub

sfd-video-director

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DYNAMIC_EXECUTION]: The vidlang framework and its linting tool (vidlang/lint.ts) use dynamic import() to load and execute TypeScript or JavaScript configuration and specification files from computed paths on the filesystem.
  • [COMMAND_EXECUTION]: Several automation scripts, including scripts/generate-multi-scene.ts and scripts/generate-lofi-b-roll.ts, use Bun.$ to execute shell commands like ffmpeg and ffprobe. These commands use arguments derived from user-provided configuration files to perform media concatenation, normalization, and editing.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
  • Ingestion points: Video specifications, prompts, and dialogue read from scenes.json or character.json files.
  • Boundary markers: Absent; user-provided text content is interpolated directly into API payloads without delimiters or instructions to ignore embedded commands.
  • Capability inventory: Subprocess execution via Bun.$ and network operations via fetch across multiple scripts.
  • Sanitization: Absent; ingested text is not validated or escaped before being transmitted to external AI models.
  • [EXTERNAL_DOWNLOADS]: The skill fetches assets from external sources, including a hardcoded image reference on tempfile.aiquickdraw.com in scripts/generate-multi-scene.ts and dynamic media URLs from AI service providers.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 01:30 AM