skills/woven-video/woven-sfx/add-sfx/Gen Agent Trust Hub

add-sfx

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads sound effects and a metadata catalog from the vendor's domain https://sfx.woven.video.\n- [REMOTE_CODE_EXECUTION]: The setup documentation instructs users to execute npx -y woven-sfx-mcp, which downloads and runs the vendor's MCP server code from the npm registry.\n- [COMMAND_EXECUTION]: The scripts/pull-library.sh script performs directory management and uses an inline Node.js script to automate sound file synchronization.\n- [PROMPT_INJECTION]: The skill ingests untrusted data from an external JSON catalog.\n
  • Ingestion points: scripts/pull-library.sh reads the remote catalog at https://sfx.woven.video/catalog.json.\n
  • Boundary markers: None present in the synchronization script.\n
  • Capability inventory: The script can create directories and write files to the local file system.\n
  • Sanitization: The script uses standard JSON parsing, though catalog-provided filenames are utilized in file path construction without explicit validation against path traversal sequences.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 03:19 AM
Security Audit — agent-trust-hub — add-sfx