Skills
skills/lgariv-dn/frontend-skills/pr-demo-recorder/Gen Agent Trust Hub

pr-demo-recorder

Fail

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The ensure-webreel.sh script automatically installs the drogers0/gh-image GitHub extension. This extension originates from an untrusted personal repository and, according to the skill's own documentation in SKILL.md, functions by extracting sensitive browser session cookies for authentication.
  • [EXTERNAL_DOWNLOADS]: The ensure-webreel.sh script fetches a companion skill from the vercel-labs GitHub repository. While this source is recognized as a well-known service, the automated download and placement of executable markdown into the user's skill directory should be monitored.
  • [COMMAND_EXECUTION]: The SKILL.md file (Phase 4) describes a two-pass workflow involving a Python script to extend video timelines by modifying JSON files. However, this script is not provided in the skill's file set, meaning the agent may attempt to generate or download unverifiable code to fulfill this requirement.
  • [COMMAND_EXECUTION]: The upload-to-pr.sh script uses the GitHub Contents API to commit binary video/image files directly to the repository branch. This behavior is explicitly flagged as a 'CRITICAL' violation in the skill's own SKILL.md documentation, as it causes permanent repository history bloat.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 17, 2026, 03:09 PM