video-toolkit
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill orchestrates video processing by executing
ffmpegandffprobethrough Python'ssubprocessmodule. These commands are used for frame extraction, audio conversion, and video editing (clipping, merging, splitting) which are central to the skill's primary purpose. - [EXTERNAL_DOWNLOADS]: The
scripts/install_dependencies.shscript automates the installation of standard Python packages, includingopenai-whisper,google-genai, andshazamio. It also facilitates the download of pre-trained models for local transcription via OpenAI Whisper. - [DATA_EXFILTRATION]: Audio extracted from user videos is uploaded to the Google Gemini API for advanced audio understanding and music detection. This is a well-known service and the operation is necessary for the multi-modal analysis features described in the skill's documentation.
- [CREDENTIALS_UNSAFE]: The skill implements a configuration mechanism for managing API keys. The
setup_api_keys.pyscript prompts for and stores Gemini and Shazam credentials in a local file named.video-toolkit-config.json, allowing the skill to authenticate requests to these services without hardcoding secrets in the source code. - [PROMPT_INJECTION]: The skill processes transcription data derived from untrusted audio files and includes this text in prompts sent to the Gemini API for translation and analysis. This creates a surface for indirect prompt injection where malicious instructions embedded in a video's audio could attempt to influence the AI's analysis, although the risk is categorized as low due to the narrow scope of the task. (Mandatory Evidence Chain: Ingestion in
analyze_audio_gemini.py; Boundary markers absent; Capability inventory includes FFmpeg execution; Sanitization absent).
Audit Metadata