video-gen
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The instructions in SKILL.md guide the AI agent to construct shell commands by interpolating user-provided data, such as video prompts and output paths, into a command-line string. This pattern introduces a vulnerability surface for command injection if the agent does not properly escape shell metacharacters provided by the user.
- [DATA_EXFILTRATION]: The video-gen.py script retrieves the MAX_API_KEY environment variable and sends it to the external endpoint at internal.infquest.com. While this is necessary for the skill's primary video generation purpose, it involves sending sensitive credentials to a non-standard external domain.
Audit Metadata