add-sfx
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches audio assets and library metadata from the vendor-controlled domain sfx.woven.video.
- [COMMAND_EXECUTION]: The script pull-library.sh uses shell utilities and Node.js to synchronize the local sound library, including reading configuration from the project-local .claude/project.md file.
- [REMOTE_CODE_EXECUTION]: Setup documentation guides the user to run the woven-sfx-mcp package using npx, which is the standard deployment method for the vendor's MCP server.
- [PROMPT_INJECTION]: The skill processes external search data from the SFX catalog. Ingestion points: sfx_search tool output (SKILL.md). Boundary markers: Absent. Capability inventory: File-writing via sfx_pull and scripts/pull-library.sh. Sanitization: Not explicitly present. The skill has an indirect injection surface when processing catalog metadata.
Audit Metadata