convert-video
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute system commands including
ffmpegandffprobe. It constructs these commands by interpolating variables like$INPUT,$OUTPUT, and$Nwhich are derived from user-provided data. This pattern can lead to command injection if the agent does not properly escape shell metacharacters in file paths or parameters.- [PROMPT_INJECTION]: The skill ingests untrusted data from user requests and file system metadata which creates an indirect prompt injection surface. - Ingestion points: User-provided video file paths and transformation parameters (e.g., seek times, scale dimensions, and frame rate variables).
- Boundary markers: Absent. There are no explicit delimiters or instructions to the agent to treat user-provided strings as data rather than executable parts of the command.
- Capability inventory: The skill utilizes
Bash(ffprobe:*)andBash(ffmpeg:*)which allow execution of powerful command-line utilities. - Sanitization: Absent. The skill provides command templates but lacks instructions for input validation, type checking, or shell escaping of the variables used in the CLI invocations.
Audit Metadata