media-processing
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No critical or high-risk security vulnerabilities were detected in the skill scripts or instructions.
- [EXTERNAL_DOWNLOADS]: The shell scripts remove-background.sh and batch-remove-background.sh include logic to automatically install the rmbg-cli package globally via NPM if it is not detected. This facilitated setup targets a well-known package registry.
- [COMMAND_EXECUTION]: Core functionality relies on calling system binaries (ffmpeg, magick, rmbg). Python implementations (video_optimize.py, batch_resize.py) correctly utilize subprocess.run with argument lists, mitigating command injection risks from user-provided filenames.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through media metadata processing. Ingestion points: Media file metadata is read via ffprobe and identify in video_optimize.py and batch_resize.py. Boundary markers: No explicit boundary markers or warnings are present for processed metadata. Capability inventory: The agent can execute system commands and manage files through provided scripts. Sanitization: Scripts perform type casting (to int or float) for numeric metadata, though string fields are processed without specific sanitization.
Audit Metadata