Skills
skills/varnan-tech/opendirectory/vid-motion-graphics/Gen Agent Trust Hub

vid-motion-graphics

Pass

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill requires the agent to execute a shell script scripts/export-video.sh to process the animation. This script installs Node.js dependencies, downloads Chromium via Playwright, and invokes FFmpeg for video encoding.
  • [EXTERNAL_DOWNLOADS]: The export script performs automated downloads of the playwright NPM package and the Chromium browser engine. These are well-known tools required for the skill's functionality.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it interpolates a user-provided content_brief directly into an HTML template that is subsequently rendered by a headless browser.
  • Ingestion points: The content_brief variable is ingested in SKILL.md (Step 1 and Step 3).
  • Boundary markers: No specific boundary markers or 'ignore' instructions are provided to separate user content from the HTML/JavaScript logic.
  • Capability inventory: The skill can execute shell commands via export-video.sh, write files to the local disk, and access the network via Playwright to fetch Google Fonts.
  • Sanitization: There is no evidence of sanitization or escaping of the content_brief before it is placed into the HTML structure, which could allow a malicious brief to inject arbitrary JavaScript into the rendering process.
Audit Metadata
Risk Level
SAFE
Analyzed
May 15, 2026, 06:07 PM
Security Audit — agent-trust-hub — vid-motion-graphics