Skills
skills/ace-step/ace-step-1.5/acestep-simplemv/Gen Agent Trust Hub

acestep-simplemv

Pass

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses execSync in render.mjs to execute ffprobe for duration detection and npx remotion render for video generation. These commands incorporate user-provided file paths and titles.
  • [EXTERNAL_DOWNLOADS]: If a Chromium-based browser is not detected on the system, the skill may download chrome-headless-shell from Google's servers. This is standard behavior for the Remotion library used by the skill.
  • [PROMPT_INJECTION]: The skill processes untrusted external data (audio and lyrics files) which are rendered into the final video. This constitutes an indirect prompt injection surface.
  • Ingestion points: Audio and lyrics files provided via --audio, --lyrics, or --lyrics-json (referenced in SKILL.md and render.mjs).
  • Boundary markers: None used for the content of the lyrics text.
  • Capability inventory: Subprocess execution via execSync and file system operations via fs module (referenced in render.mjs).
  • Sanitization: Titles and subtitles are sanitized by removing newlines and truncating length.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 10, 2026, 09:16 AM