add-sfx
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads sound effects and a metadata catalog from the vendor's domain
https://sfx.woven.video.\n- [REMOTE_CODE_EXECUTION]: The setup documentation instructs users to executenpx -y woven-sfx-mcp, which downloads and runs the vendor's MCP server code from the npm registry.\n- [COMMAND_EXECUTION]: Thescripts/pull-library.shscript performs directory management and uses an inline Node.js script to automate sound file synchronization.\n- [PROMPT_INJECTION]: The skill ingests untrusted data from an external JSON catalog.\n - Ingestion points:
scripts/pull-library.shreads the remote catalog athttps://sfx.woven.video/catalog.json.\n - Boundary markers: None present in the synchronization script.\n
- Capability inventory: The script can create directories and write files to the local file system.\n
- Sanitization: The script uses standard JSON parsing, though catalog-provided filenames are utilized in file path construction without explicit validation against path traversal sequences.
Audit Metadata