video-concat
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill dynamically constructs and executes shell commands using user-supplied file paths and configuration options. Evidence: Step 1 (
ffprobe ... "$INPUT_FILE") and Step 4 (ffmpeg ... "OUTPUT.mp4") show variables derived from user input being used directly in shell execution. Risk: If a user provides a filename containing shell metacharacters (e.g.,;,&, or$()), it could result in arbitrary command execution (RCE) if the agent's runtime does not strictly sanitize the input. - [REMOTE_CODE_EXECUTION] (MEDIUM): The skill ingests untrusted filenames and uses them in high-capability tools (ffmpeg) without explicit sanitization instructions. Ingestion points: Video file paths provided by the user in Step 1. Boundary markers: Absent. Capability inventory: Full subprocess execution of ffmpeg, ffprobe, and cat. Sanitization: Absent. The skill uses standard shell quoting, which is insufficient to prevent command injection if the underlying agent environment does not perform additional escaping.
Audit Metadata