ai-video-production-master
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/cloud_i2v_batch.pygenerates and executes anonstartbash script on remote Vast.ai cloud instances to install packages (comfy-cli,httpx) and download large binary models. - [COMMAND_EXECUTION]: Multiple scripts utilize
subprocess.runto call system tools:scripts/cloud_i2v_batch.pyexecutesvastai,ssh, andscp;scripts/motion_graphics_generator.pyexecutesffmpeg,rsvg-convert, andconvert(ImageMagick). - [CREDENTIALS_UNSAFE]: The script
scripts/cloud_i2v_batch.pyaccesses local SSH private keys from sensitive paths including~/.ssh/id_ed25519_vastaiand default locations (~/.ssh/id_rsa) to automate cloud orchestration. - [EXTERNAL_DOWNLOADS]: The skill automatically fetches AI models and text encoders from Hugging Face (
huggingface.co) during the remote instance setup process. - [INDIRECT_PROMPT_INJECTION]: The skill processes user-controlled data (JSON chart data, images, motion prompts) while possessing command execution and network capabilities. 1. Ingestion points: Found in
scripts/motion_graphics_generator.pyandscripts/cloud_i2v_batch.py. 2. Boundary markers: Absent. 3. Capability inventory: Shell command execution viasubprocessand network access viahttpx. 4. Sanitization: No validation or sanitization of external inputs was identified.
Recommendations
- AI detected serious security threats
Audit Metadata