blitzreels-carousels

The skill consists of markdown files and shell scripts designed to interact with the BlitzReels API. All network operations (using curl) are directed towards https://www.blitzreels.com for fetching OpenAPI specifications and making API calls. While blitzreels.com is not on the list of trusted GitHub organizations, these calls are fundamental to the skill's intended operation and are not indicative of malicious data exfiltration to an unrelated third party.

API keys (BLITZREELS_API_KEY) are handled securely by being read from an environment variable and passed as a Bearer token in HTTP headers, which is a standard and appropriate method for CLI-based API interactions. The skill does not hardcode API keys or expose them in insecure ways.

User inputs (such as project names, image URLs, and text for overlays) are safely incorporated into JSON payloads using jq -n --arg, which correctly escapes special characters and prevents shell injection vulnerabilities. No obfuscation techniques (like Base64, zero-width characters, or homoglyphs) were detected. There are no attempts at privilege escalation (e.g., sudo, chmod 777), persistence mechanisms (e.g., modifying .bashrc, crontab), or access to sensitive local files (e.g., ~/.ssh/id_rsa).

The BLITZREELS_ALLOW_EXPENSIVE environment variable check acts as a safety mechanism to prevent accidental expensive API calls, rather than a malicious time-delayed attack. The scripts/generate.sh explicitly warns users that its endpoint is not part of the public OpenAPI spec, which is a responsible disclosure.

Overall, the skill demonstrates good security practices for its intended functionality. The 'LOW' verdict is assigned due to the inherent nature of relying on an external, non-trusted-list API for core operations, which always carries a baseline level of external dependency risk, even when handled responsibly.