byted-las-video-edit
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill communicates with ByteDance's official Volcengine API endpoints (operator.las.cn-beijing.volces.com and operator.las.cn-shanghai.volces.com) to submit and poll video processing tasks. This network activity is documented and restricted to the vendor's own infrastructure.
- [COMMAND_EXECUTION]: Includes a Python utility (scripts/skill.py) that allows the agent to manage asynchronous video editing workflows. The script is dedicated to API communication and does not contain arbitrary command execution or dangerous system modifications.
- [SAFE]: The provided Python script implements robust Server-Side Request Forgery (SSRF) protection. It validates all user-supplied URLs for videos and reference images by resolving the hostname and ensuring the target IP does not belong to a private, loopback, or internal network.
- [SAFE]: API authentication is handled securely by retrieving the LAS_API_KEY from environment variables or a local configuration file (env.sh) using a non-executable parser, avoiding the use of unsafe evaluation functions.
Audit Metadata