product-video
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill's workflow depends on the execution of several local scripts and command-line utilities. This includes a shell script for asset collection (
collect_assets.sh), a Node.js script for browser-based screen recording (record_demo.js), and a Python script for voiceover generation (generate_voiceover.py). It also utilizesFFmpegfor audio/video manipulation and theRemotionframework for video synthesis. - [EXTERNAL_DOWNLOADS]: The skill incorporates external content from well-known stock media providers including Unsplash, Pexels, and Pixabay for image assets. It also leverages the
edge-ttsservice and mentionsAzure TTSas a high-quality alternative for voice synthesis. - [INDIRECT_PROMPT_INJECTION]: The skill demonstrates a vulnerability surface for indirect prompt injection as it processes untrusted user input and external assets through a high-capability execution environment.
- Ingestion points: User-provided product themes, descriptions, and externally sourced image/video assets (Phase 2).
- Boundary markers: None identified in the skill instructions to distinguish between instructions and data.
- Capability inventory: Significant capability including shell script execution, headless browser automation (Playwright), and local file system operations for video rendering.
- Sanitization: No explicit sanitization or validation steps are defined before passing user-provided strings to the TTS engine or the rendering scripts.
Audit Metadata