video-asset-manager
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The script
scripts/search_pexels.pyaccepts the Pexels API key via the--api-keycommand-line argument. This is considered unsafe as command-line arguments are often visible to other users and processes on the system (e.g., viapsor/proc). - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill performs automated downloads from URLs retrieved from the Pexels API. While Pexels is a legitimate service, the script
scripts/search_pexels.pyblindly trusts thelinkfield from the API response without validation, which could be exploited if the API response is intercepted or manipulated. - [INDIRECT PROMPT INJECTION] (MEDIUM): The skill possesses a vulnerability surface where untrusted data from
scene-plan.jsonis used to construct prompts for GenSpark AI. - Ingestion points:
scene-plan.json(specificallyclipKeywords) processed inSKILL.mdandscripts/search_pexels.py. - Boundary markers: Absent. The keywords are joined directly into search queries or AI prompts.
- Capability inventory: File system write access (
assets/directory), Network GET requests (requests.get), and instructions for web-based AI interaction. - Sanitization: None. The skill does not filter or escape keywords before using them in external service calls or prompt construction.
- [COMMAND_EXECUTION] (LOW): The skill documentation provides shell commands for running Python scripts. While standard, users should be cautious when executing scripts that take external files as input.
Audit Metadata