media-transcoding
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (SAFE): The skill is designed to run local bash and Python scripts (
ffmpeg_convert.sh,convert_video.py) to perform FFmpeg operations. This is the primary and legitimate purpose of the tool. - Indirect Prompt Injection (LOW): The skill performs metadata inspection on video files, which constitutes an ingestion point for untrusted data. Evidence: 1. Ingestion points: External video files (e.g., "My Video.mp4"). 2. Boundary markers: Absent in instructions. 3. Capability inventory: FFmpeg subprocess execution and file system writes for converted media and backups. 4. Sanitization: No sanitization or validation of extracted metadata is mentioned.
- External Downloads (SAFE): The documentation recommends installing FFmpeg via Homebrew (
brew install ffmpeg), which is a trusted external source.
Audit Metadata