Skills
skills/ilkerzg/agent-skills/fal-lip-sync/Gen Agent Trust Hub

fal-lip-sync

Warn

Audited by Gen Agent Trust Hub on Apr 3, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The scripts scripts/lip-sync.sh and scripts/talking-head.sh use shell variable interpolation to build JSON payloads (e.g., PAYLOAD="{\"video_url\": \"$VIDEO_URL\", \"audio_url\": \"$AUDIO_URL\"}"). If a user provides a URL containing double quotes or other shell-special characters, it could result in JSON injection or unexpected behavior in the API request.
  • [CREDENTIALS_UNSAFE]: The scripts include a flag --add-fal-key that writes the provided API key directly into a .env file (echo "FAL_KEY=$2" > .env). While storing secrets in .env is a common practice, the skill encourages providing the secret as a command-line argument, which may leave the key visible in the shell history or process list.
  • [COMMAND_EXECUTION]: The SKILL.md file references an external script /mnt/skills/user/fal-generate/scripts/search-models.sh that is not included in the provided skill files, making its behavior unverifiable.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 3, 2026, 05:07 PM