Skills
skills/faionfaion/faion-network/faion-multimodal-ai/Gen Agent Trust Hub

faion-multimodal-ai

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (MEDIUM): The VideoProcessor class in video-gen-basics/README.md uses subprocess.run to interact with system tools like ffmpeg and ffprobe. In the concatenate_videos method, input paths are written to a temporary list file using basic single-quote wrapping (f"file '{path}'\n"). A maliciously crafted filename containing a single quote could escape the directive and potentially inject ffmpeg options or access unauthorized files.
  • [PROMPT_INJECTION] (LOW): In vision-basics/README.md, the VisualQA implementation and the structured_analysis function interpolate user-provided strings directly into LLM prompt content without sanitization or boundary markers. This creates a surface for both direct and indirect prompt injection attacks where untrusted data could override agent instructions.
  • [DATA_EXPOSURE] (LOW): The skill utilizes hardcoded temporary file paths, such as /tmp/video_list.txt in video-gen-basics/README.md. Predictable paths in shared directories can lead to local data leakage or resource collision issues in multi-user environments.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:27 PM