vcr-render-planner
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a utility script
scripts/validate_plan.pythat executes thevcrcommand. This is implemented usingsubprocess.runwith an argument list rather than a shell string, which is a secure practice that prevents shell injection vulnerabilities. - [DATA_EXPOSURE]: The validation logic in the skill ensures that output files specified in the render plans must have a
.movextension. This prevents the agent from being manipulated into overwriting critical system files or scripts through the rendering process. - [PROMPT_INJECTION]: The
SKILL.mdfile defines a highly constrained role for the agent with specific response formats and capability boundaries. It includes explicit instructions on how to handle unsupported or impossible requests, reducing the likelihood of the agent being coerced into unintended behaviors. - [SAFE]: The analysis did not detect any hardcoded credentials, unauthorized network exfiltration, obfuscated code, or suspicious persistence mechanisms across the skill files.
Audit Metadata