after-effects

BENIGN overall. The skill is a documented AE automation framework that generates and runs ExtendScript via osascript, with explicit safeguards for destructive operations and a clearly scoped, macOS AE-bound workflow. While it grants extensive project access and mutation capabilities, these are coherent with the stated purpose of automating After Effects tasks for a user’s project. No hardcoded credentials, external data exfiltration, or remote command execution patterns are evident in the fragment. Potential risk remains due to the powerful host-level actions, but the footprint is proportionate to its claimed use case.

The runner is an effective local bridge for executing ExtendScript within After Effects, with basic version management, argument passing, and result propagation. The main security concerns arise from injecting untrusted SCRIPT_PATH and ARGS_JSON into the JXA wrapper without thorough escaping, and from granting AE automation privileges to arbitrary .jsx scripts. No evidence of external exfiltration or backdoors was found. Recommended hardening steps include: (1) implement robust escaping and validation for all inputs used in the embedded JXA string, (2) validate ARGS_JSON against a strict schema, (3) limit the capabilities of the JSX scripts via a controlled AE scripting policy or sandbox, and (4) consider a higher integrity model where only signed or verified scripts are executed. Overall risk remains moderate due to the trusted path assumption for AE and potential privilege escalation via the supplied script, but with targeted mitigations the security posture can be improved.