media-processing
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Command Execution (SAFE): Analysis of
scripts/media_convert.pyshows that external binaries are invoked usingsubprocess.run()with argument lists instead of shell strings. This design choice effectively mitigates shell injection vulnerabilities that could otherwise occur if malicious filenames were processed. - Data Exposure & Exfiltration (SAFE): The skill does not attempt to access sensitive file paths (such as SSH keys or environment files) and contains no hardcoded credentials. Network operations described in the documentation, such as RTMP streaming, are consistent with the skill's primary media-processing purpose.
- Dependency Security (SAFE): The skill relies on standard system binaries (FFmpeg, ImageMagick) and reputable Python testing libraries (
pytest). No suspicious or unverifiable third-party packages are included. - Indirect Prompt Injection (SAFE): While the skill ingests media files in
media_convert.py(ingestion point), it treats them as binary data for processing viaffmpeg(capability inventory). It does not parse media content for instructions, and filenames are sanitized via list-based argument passing (sanitization), preventing injection into the agent's logic.
Audit Metadata