Skills
skills/blitzreels/agent-skills/blitzreels-video-editing/Gen Agent Trust Hub

blitzreels-video-editing

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: No malicious patterns, such as prompt injection, persistence mechanisms, or privilege escalation, were detected across the skill's instructions and scripts.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: Communication is restricted to the vendor's official API domain (blitzreels.com). The skill correctly identifies the need for an API key (BLITZREELS_API_KEY) but does not include any hardcoded credentials. It also provides guidance on using environment variables for secret management.
  • [DYNAMIC_EXECUTION]: The provided scripts (editor.sh, blitzreels.sh) use standard shell utilities like curl and jq to interact with the API. User-provided inputs, such as URLs and project IDs, are sanitized using jq (e.g., jq -Rs .) before being incorporated into JSON request bodies, mitigating injection risks.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes external data (URLs and JSON payloads). While this represents a potential attack surface, the risk is minimized by the use of structured data formats and explicit API schemas.
  • Ingestion points: Media URLs in upload-url, transcript corrections in transcript-corrections, and B-roll definitions in add-broll.
  • Boundary markers: Not explicitly defined in instructions, but the skill relies on structured API requests.
  • Capability inventory: Subprocess calls are limited to curl and jq for API communication.
  • Sanitization: Shell scripts use jq to safely escape and encode user-supplied strings into JSON structures.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 09:13 AM