apex-video-generator
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill requests the Bash tool to perform video rendering and file operations. While consistent with the skill's purpose of utilizing Remotion, Bash provides arbitrary command execution which poses a risk if hijacked.
- [PROMPT_INJECTION]: The skill ingests data from external URLs via Firecrawl, creating an indirect prompt injection surface. Ingestion points: Property data extracted from listingUrls in SKILL.md. Boundary markers: No delimiters are specified in the templates to isolate external data from instructions. Capability inventory: The agent has access to Bash, Write, and Edit tools, which could be leveraged by malicious input. Sanitization: No sanitization or validation of the scraped data is mentioned in the provided rules.
- [EXTERNAL_DOWNLOADS]: The skill relies on external services including Firecrawl for web scraping, OpenAI for text-to-speech, and Supabase or Convex for storage and job tracking.
Audit Metadata