Skills
skills/fal-ai-community/skills/fal-video-edit/Gen Agent Trust Hub

fal-video-edit

Warn

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The scripts edit-video.sh and video-audio.sh are vulnerable to command injection via the --add-fal-key parameter. The script writes the provided input directly into a .env file (echo "FAL_KEY=$2" > .env) without validation. Because this file is later loaded using the source command, any shell-executable patterns (such as backticks or command substitution) in the key will be executed in the agent's context.
  • [EXTERNAL_DOWNLOADS]: The skill uses curl to interact with https://queue.fal.run. This is the official API endpoint for the fal.ai service, which is the service provider for the models used by the skill. These network operations are consistent with the skill's primary function.
  • [CREDENTIALS_UNSAFE]: The skill implements a plaintext credential storage mechanism. The FAL_KEY is stored in a local .env file, making it accessible to any other process or user with access to the skill's directory.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 7, 2026, 08:01 PM