reel-builder
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The
reel_builder.pyscript utilizessubprocess.runto executeffmpegcommands for normalizing video dimensions and concatenating clips. This is a necessary and standard operation for the skill's primary purpose. - [EXTERNAL_DOWNLOADS]: The skill performs HTTP GET and POST requests to official Fal.ai endpoints (fal.run, queue.fal.run) to trigger media generation and download the resulting assets.
- [DATA_EXFILTRATION]: The script facilitates the upload of local image files to Fal.ai's storage infrastructure (alpha.fal.ai). This is a legitimate step in the workflow for converting generated images into video clips via external AI providers.
- [PROMPT_INJECTION]: The skill processes untrusted storyboard data from user-provided JSON files which are interpolated into AI generation prompts. 1. Ingestion points: Storyboard JSON files processed in
scripts/reel_builder.py. 2. Boundary markers: None present; prompts are passed directly to API bodies. 3. Capability inventory: Subprocess calls forffmpegand network operations viarequestsinscripts/reel_builder.py. 4. Sanitization: No specific sanitization or filtering of prompt content is performed before transmission to the API.
Audit Metadata