guided-explainer-video

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] The fragment presents a coherent, purpose-aligned pipeline for producing branded explainer videos using Helios and motion.dev. It remains benign in intent but introduces medium risk primarily due to external service dependencies and environment-based credential handling. To strengthen security and reliability, implement secret management (avoid logging API keys), define consent/privacy handling for URL-derived brand data, and validate external tool inputs with strict version pinning and integrity checks. LLM verification: Functionally coherent skill that requests reasonable capabilities for producing brand-driven explainer videos (repo/URL analysis, optional ElevenLabs audio, Helios rendering). Primary security concerns are supply-chain in nature: unpinned npm dependencies and the requirement to install and execute a third-party CLI (npx helios render). These increase the risk of a compromised dependency or malicious package executing locally. There is no direct evidence of credential harvesting, exfiltration, ob